Identity Protection: Confirm User Compromised

Confirm one or more accounts as compromised users using Microsoft Graph.

• This action sets the targeted user’s risk level to high.
• Conditional Access Policy applying to this risk level will apply.

For delegated scenarios, the signed-in user must have one of the following Azure AD roles:

• Security Administrator
• Global Administrator

Audit Log Record

• Service: Identity Protection
• Category: Other
• Activity: ConfirmAccountCompromised
• Status reason: Dismiss Success. Item updated: 1. Action type: ConfirmAccountCompromised

PowerShell

Connect-MgGraph -Scopes @('IdentityRiskyUser.ReadWrite.All')

$userIds = @('')
if ($userIds.Count -gt 0) {
    Confirm-MgRiskyUserCompromised -UserIds $userIds
}

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params