Identity Protection: Confirm User Compromised

Confirm one or more accounts as compromised users using Microsoft Graph.

  • This action sets the targeted user’s risk level to high.
  • Conditional Access Policy applying to this risk level will apply.

For delegated scenarios, the signed-in user must have one of the following Azure AD roles:

  • Security Administrator
  • Global Administrator

Audit Log Record

  • Service: Identity Protection
  • Category: Other
  • Activity: ConfirmAccountCompromised
  • Status reason: Dismiss Success. Item updated: 1. Action type: ConfirmAccountCompromised


Connect-MgGraph -Scopes @('IdentityRiskyUser.ReadWrite.All')
$userIds = @('')
if ($userIds.Count -gt 0) {
    Confirm-MgRiskyUserCompromised -UserIds $userIds


Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force


Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
Connect-MgGraph @params