| title | agentRiskDetection resource type |
|---|---|
| description | Represents the agentic risk detections as evaluated by Microsoft Entra ID Protection based on various signals and machine learning. |
| author | jiayle27 |
| ms.date | 11/27/2025 |
| ms.localizationpriority | medium |
| ms.subservice | entra-sign-in |
| doc_type | resourcePageType |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Represents the agentic risk detections as evaluated by Microsoft Entra ID Protection based on various signals and machine learning.
Inherits from entity.
| Method | Return type | Description |
|---|---|---|
| List | agentRiskDetection collection | Get a list of the agentRiskDetection objects and their properties. |
| Get | agentRiskDetection | Read the properties and relationships of agentRiskDetection object. |
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, le, and ge). |
| additionalInfo | String | Additional information associated with the risk detection. |
| agentDisplayName | String | Name of the agent. Supports $filter (eq, startsWith). |
| agentId | String | The unique identifier for the agent. This is equivalent to 'id' to the specific agent type. See riskyAgentIdentity, riskyAgentIdentityBlueprintPrincipal, and riskyAgentUser. Supports $filter (eq, startsWith). |
| blueprintId | String | The identifier of the blueprint associated with the agent. Nullable. |
| detectedDateTime | DateTimeOffset | Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, le, and ge). |
| detectionTimingType | riskDetectionTimingType | Timing of the detected risk (real-time/offline). The possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue. |
| id | String | Unique ID of the risk detection. Inherited from entity. |
| identityType | agentIdentityType | The type of agent identity associated with this risk detection. The possible values are: agentIdentity, agentUser, unknownFutureValue, agentIdentityBlueprintPrincipal. You must use the Prefer: include-unknown-enum-members request header to get the following value in this evolvable enum: agentIdentityBlueprintPrincipal. Required. Supports $filter (eq). |
| lastModifiedDateTime | DateTimeOffset | Date and time that the risk detection was last updated. Supports $filter (eq, le, and ge). |
| riskDetail | riskDetail | Details of the detected risk. Supports $filter (eq). |
| riskEventType | String | The type of risk event detected. Supports $filter (eq). |
| riskEvidence | String | Evidence on the risky activity occurred. Supports $filter (eq). |
| riskLevel | riskLevel | Level of the detected risk. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Supports $filter (eq). |
| riskState | riskState | The state of a detected agentic risk. The possible values are: none, confirmedSafe, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq). |
| source | String | The source system that generated the risk detection. Nullable. |
None.
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.agentRiskDetection",
"id": "String (identifier)",
"agentId": "String",
"agentDisplayName": "String",
"blueprintId": "String",
"identityType": "String",
"activityDateTime": "String (timestamp)",
"detectedDateTime": "String (timestamp)",
"detectionTimingType": "String",
"lastModifiedDateTime": "String (timestamp)",
"riskDetail": "String",
"riskLevel": "String",
"riskState": "String",
"riskEventType": "String",
"riskEvidence": "String",
"additionalInfo": "String",
"source": "String"
}