Retrieve the same list of “Active”Risky users (as in portal) using KQL with Log Analytics Workspace
We have enabled the Diagnostic Settings to capture Risky users in our Azure Entra ID.
I want to automate a daily Risky Users report using Logic Apps for the support teams. For this I need a query to show me the list of Risky Users as they are Azure Portal (Please refer attached Image). If someone has already a query for this can you please share which captures all Risky users with Risky Signins.
Overall I want to capture all Risky Users with Risky SignIns.
So far I am working on this query , but this is not showing every user as in the report.
AADRiskyUsers
| where RiskLastUpdatedDateTime > ago(1d)
| where RiskLevel in ( “high” , “medium” )
| where RiskState == “atRisk”
| take 100
We have enabled the Diagnostic Settings to capture Risky users in our Azure Entra ID.I want to automate a daily Risky Users report using Logic Apps for the support teams. For this I need a query to show me the list of Risky Users as they are Azure Portal (Please refer attached Image). If someone has already a query for this can you please share which captures all Risky users with Risky Signins. Overall I want to capture all Risky Users with Risky SignIns. So far I am working on this query , but this is not showing every user as in the report. AADRiskyUsers
| where RiskLastUpdatedDateTime > ago(1d)
| where RiskLevel in ( “high” , “medium” )
| where RiskState == “atRisk”
| take 100 Read More