| title | riskyAgent resource type |
|---|---|
| description | Represents the Microsoft Entra agents that are at risk as evaluated by Microsoft Entra ID Protection based on various signals and machine learning. |
| author | jiayle27 |
| ms.date | 11/27/2025 |
| ms.localizationpriority | medium |
| ms.subservice | entra-sign-in |
| doc_type | resourcePageType |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Represents the Microsoft Entra agents that are at risk as evaluated by Microsoft Entra ID Protection based on various signals and machine learning. This API provides programmatic access to all at-risk agents in your Microsoft Entra tenant, the @odata.type indicates the exact type of this agent. The supported types are riskyAgentIdentity, riskyAgentIdentityBlueprintPrincipal, and riskyAgentUser.
Inherits from entity.
| Method | Return type | Description |
|---|---|---|
| List | riskyAgent collection | Get a list of the riskyAgent objects and their properties. |
| Get | riskyAgent | Read the properties and relationships of riskyAgent object. |
| Dismiss | None | Dismiss the risk of one or more riskyAgent objects. |
| Confirm compromised | None | Confirm one or more riskyAgent objects as compromised. |
| Confirm safe | None | Confirm one or more riskyAgent objects as safe. |
| Property | Type | Description |
|---|---|---|
| agentDisplayName | String | Name of the agent. Supports $filter (eq, startsWith). |
| blueprintId | String | The identifier of the blueprint associated with the agent. Nullable. |
| id | String | The object id of the riskyAgentIdentity, riskyAgentIdentityBlueprintPrincipal or riskyAgentUser. Inherited from entity. Supports $filter (eq, startsWith). |
| identityType | agentIdentityType | The type of agent identity. The possible values are: agentIdentity, agentUser, unknownFutureValue, agentIdentityBlueprintPrincipal. You must use the Prefer: include-unknown-enum-members request header to get the following value in this evolvable enum: agentIdentityBlueprintPrincipal. Required. Supports $filter (eq). |
| isDeleted | Boolean | Indicates whether the agent is deleted. |
| isEnabled | Boolean | Indicates whether the agent is enabled. |
| isProcessing | Boolean | Indicates whether an agent's risky state is processing in the backend. |
| riskDetail | riskDetail | Details of the detected risk of the agent. Supports $filter (eq). |
| riskLastModifiedDateTime | DateTimeOffset | The date and time that the risky agent was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, le, and ge). |
| riskLevel | riskLevel | Level of the detected risky agent. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq). |
| riskState | riskState | State of the agent's risk. The possible values are: none, confirmedSafe, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq). |
None.
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.riskyAgent",
"id": "String (identifier)",
"agentDisplayName": "String",
"blueprintId": "String",
"identityType": "String",
"isDeleted": "Boolean",
"isEnabled": "Boolean",
"isProcessing": "Boolean",
"riskLastModifiedDateTime": "String (timestamp)",
"riskState": "String",
"riskLevel": "String",
"riskDetail": "String"
}