| title | identityAccounts: invokeAction |
|---|---|
| description | Perform available actions for identity security identity accounts. This action allows reading and performing identity security actions on behalf of the signed-in identity. |
| author | SamuelBenichou |
| ms.date | 06/22/2025 |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | apiPageType |
Namespace: microsoft.graph.security
[!INCLUDE beta-disclaimer]
Perform actions such as revoking accounts and forcing password reset for identity accounts that are observed in Microsoft Defender for Identity. This action allows reading and performing identity security actions on behalf of the signed-in identity.
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-security-identity-accounts-apis]
POST /security/identities/identityAccounts/{identityAccountsId}/invokeAction| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply a JSON representation of the parameters.
The following table lists the parameters that are required when you call this action.
| Parameter | Type | Description |
|---|---|---|
| accountId | String | The identifier of the account to perform the action on. |
| action | microsoft.graph.security.action | The type of action to perform on the account. The possible values are: disable, enable, forcePasswordReset, revokeAllSessions, requireUserToSignInAgain, markUserAsCompromised. |
| identityProvider | microsoft.graph.security.identityProvider | The identity provider associated with the account. The possible values are: entraID, activeDirectory, okta. |
The following table shows the identity providers supported for each action value type:
| Action Value | Description | Supported identity providers |
|---|---|---|
| Disable | Disable account. The account is unable to authenticate. If the account recently logged in, it doesn't have access to resources. | activeDirectory, okta |
| Enable | Enable account. | activeDirectory, okta |
| ForcePasswordReset | Force password reset of the account. | activeDirectory |
| RevokeAllSessions | Revoke all of active sessions for the account. | okta |
If successful, this action returns a 200 OK response code and a invokeActionResult in the response body.
The following example shows a request.
POST https://graph.microsoft.com/beta/security/identities/identityAccounts/0104216-0539-4838-88b1-55baafdc296b/invokeAction
Content-Type: application/json
{
"accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
"action": "disable",
"identityProvider": "activeDirectory"
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"value":
{
"accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
"action": "disable",
"provider": "activeDirectory",
"correlationId": "ed2f052b-2a01-4cd9-acb3-f6145f83e1a5"
}
}Note
Actions related to Entra ID are not covered in the current scope.