fbpx

Sync Azure Active Directory Risk Events with a SharePoint list for all customer tenants

Sync Azure Active Directory Risk Events with a SharePoint list for all customer tenants

Azure Active Directory Risk Event Register on SharePoint List

According to Microsoft, the vast majority of security breaches occur when attackers gain access to data using a compromised identity. To help combat this, Azure Active Directory uses machine learning and advanced heuristics to identify suspicious activities and generate risk events.

These risk events are generated for:

  • Users with leaked credentials
  • Users signing in from anonymous IP addresses
  • Impossible travel events
  • Sign-ins from infected devices
  • Sign-ins from suspicious IP Addresses
  • Sign-ins from unfamiliar locations

Right now these events are only available in Azure AD premium plans. For more information on them, see here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events

If you are managing a single tenant and have Azure AD Premium P1 or P2, risk events can be easily accessed via the Azure AD Admin portal here.

If you are a Microsoft Partner and need visibility across risk events for all customer tenants, you can access them using the Microsoft Graph API. This article will show you how to sync these risk events with a SharePoint list, and set up alerts to your email or service desk.

This guide consists of three sections:

  1. Create an Azure AD App with Access to your customer tenants’ risk events
  2. Sync the Azure AD risk events with a SharePoint List using PowerShell
  3. Add an alert to the SharePoint list to get notified of new risk events

Create an Azure AD application with access to your customer’s Azure AD risk Events

The below script will create an application in your Office 365 organization that has permission to access your customer tenants’ risk events.

Prerequisites

  • This script will need to be run as a Global Administrator in your tenant
  • This script requires the Azure AD Module. You can install this by opening PowerShell as an Administrator and running:
    Install-Module AzureAD
  • If you are running this in a non-Microsoft Partner tenant, remove the following three lines from the script.
        # This provides the application with access to your customer tenants.
        $group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
        Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $servicePrincipal.ObjectId

How to create an Azure AD application with access to customer Azure AD risk events via PowerShell

  • Double click the below script to select it
  • Copy and paste it into Visual Studio Code
  • Save it with a .ps1 extension
  • Install the recommended PowerShell extension if you haven’t already
  • Update the $homepage and $appIdURI variables to use a verified domain in your own tenant.
  • Press F5 to run it, sign in with your Global Admin Credentials and wait for it to complete. (Note that the output may vary slightly from this screenshot)Creating Azure AD Application Via Power Shell
  • Retrieve the Application’s Client ID and secret from the CSV located at C:\temp\AzureADApps.csv. Remember to delete the CSV when complete. Note that this screenshot is just a sample.Exported Info for Azure Ad App

PowerShell script to create an Azure AD application with access to Microsoft Graph

# This script needs to be run by an admin account in your Office 365 tenant
# This script will create an Azure AD app in your organisation with permission
# to access resources in yours and your customers' tenants.
# It will export information about the application to a CSV located at C:\temp\.
# The CSV will include the Client ID and Secret of the application, so keep it safe.
   
# Confirm C:\temp exists
$temp = Test-Path -Path C:\temp
if ($temp) {
    #Write-Host "Path exists"
}
else {
    Write-Host "Creating Temp folder"
    New-Item -Path C:\temp -ItemType directory
}
   
$applicationName = "GCITS Risk Event Manager"
   
# Change this to true if you would like to overwrite any existing applications with matching names. 
$removeExistingAppWithSameName = $false
# Modify the homePage, appIdURI and logoutURI values to whatever valid URI you like. 
# They don't need to be actual addresses, so feel free to make something up.
$homePage = "https://secure.gcits.com"
$appIdURI = "https://secure.gcits.com/$((New-Guid).ToString())"
$logoutURI = "https://portal.office.com"
   
$URIForApplicationPermissionCall = "https://graph.microsoft.com/beta/identityRiskEvents"
$ApplicationPermissions = "IdentityRiskEvent.Read.All IdentityriskyUser.Read.All Directory.Read.All Sites.Manage.All"
   
Function Add-ResourcePermission($requiredAccess, $exposedPermissions, $requiredAccesses, $permissionType) {
    foreach ($permission in $requiredAccesses.Trim().Split(" ")) {
        $reqPermission = $null
        $reqPermission = $exposedPermissions | Where-Object {$_.Value -contains $permission}
        Write-Host "Collected information for $($reqPermission.Value) of type $permissionType" -ForegroundColor Green
        $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
        $resourceAccess.Type = $permissionType
        $resourceAccess.Id = $reqPermission.Id    
        $requiredAccess.ResourceAccess.Add($resourceAccess)
    }
}
   
Function Get-RequiredPermissions($requiredDelegatedPermissions, $requiredApplicationPermissions, $reqsp) {
    $sp = $reqsp
    $appid = $sp.AppId
    $requiredAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
    $requiredAccess.ResourceAppId = $appid
    $requiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
    if ($requiredDelegatedPermissions) {
        Add-ResourcePermission $requiredAccess -exposedPermissions $sp.Oauth2Permissions -requiredAccesses $requiredDelegatedPermissions -permissionType "Scope"
    } 
    if ($requiredApplicationPermissions) {
        Add-ResourcePermission $requiredAccess -exposedPermissions $sp.AppRoles -requiredAccesses $requiredApplicationPermissions -permissionType "Role"
    }
    return $requiredAccess
}
Function New-AppKey ($fromDate, $durationInYears, $pw) {
    $endDate = $fromDate.AddYears($durationInYears) 
    $keyId = (New-Guid).ToString()
    $key = New-Object Microsoft.Open.AzureAD.Model.PasswordCredential($null, $endDate, $keyId, $fromDate, $pw)
    return $key
}
   
Function Test-AppKey($fromDate, $durationInYears, $pw) {
   
    $testKey = New-AppKey -fromDate $fromDate -durationInYears $durationInYears -pw $pw
    while ($testKey.Value -match "\+" -or $testKey.Value -match "/") {
        Write-Host "Secret contains + or / and may not authenticate correctly. Regenerating..." -ForegroundColor Yellow
        $pw = Initialize-AppKey
        $testKey = New-AppKey -fromDate $fromDate -durationInYears $durationInYears -pw $pw
    }
    Write-Host "Secret doesn't contain + or /. Continuing..." -ForegroundColor Green
    $key = $testKey
   
    return $key
}
   
Function Initialize-AppKey {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    $aesManaged.GenerateKey()
    return [System.Convert]::ToBase64String($aesManaged.Key)
}
function Confirm-MicrosoftGraphServicePrincipal {
    $graphsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.displayname -eq "Microsoft Graph"}
    if (!$graphsp) {
        $graphsp = Get-AzureADServicePrincipal -SearchString "Microsoft.Azure.AgregatorService"
    }
    if (!$graphsp) {
        Login-AzureRmAccount -Credential $credentials
        New-AzureRmADServicePrincipal -ApplicationId "00000003-0000-0000-c000-000000000000"
        $$graphsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.displayname -eq "Microsoft Graph"}
    }
    return $graphsp
}
Write-Host "Connecting to Azure AD. The login window may appear behind Visual Studio Code."
Connect-AzureAD
   
Write-Host "Creating application in tenant: $((Get-AzureADTenantDetail).displayName)"
   
# Check for the Microsoft Graph Service Principal. If it doesn't exist already, create it.
$graphsp = Confirm-MicrosoftGraphServicePrincipal
   
$existingapp = $null
$existingapp = get-azureadapplication -SearchString $applicationName
if ($existingapp -and $removeExistingAppWithSameName) {
    Remove-Azureadapplication -ObjectId $existingApp.objectId
}
   
# RSPS 
$rsps = @()
if ($graphsp) {
    $rsps += $graphsp
    $tenant_id = (Get-AzureADTenantDetail).ObjectId
    $tenantName = (Get-AzureADTenantDetail).DisplayName
   
    # Add Required Resources Access (Microsoft Graph)
    $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
    $microsoftGraphRequiredPermissions = Get-RequiredPermissions -reqsp $graphsp -requiredApplicationPermissions $ApplicationPermissions -requiredDelegatedPermissions $DelegatedPermissions
    $requiredResourcesAccess.Add($microsoftGraphRequiredPermissions)
   
    # Get an application key
    $pw = Initialize-AppKey
    $fromDate = [System.DateTime]::Now
    $appKey = Test-AppKey -fromDate $fromDate -durationInYears 99 -pw $pw
   
    Write-Host "Creating the AAD application $applicationName" -ForegroundColor Blue
    $aadApplication = New-AzureADApplication -DisplayName $applicationName `
        -HomePage $homePage `
        -ReplyUrls $homePage `
        -IdentifierUris $appIdURI `
        -LogoutUrl $logoutURI `
        -RequiredResourceAccess $requiredResourcesAccess `
        -PasswordCredentials $appKey `
        -AvailableToOtherTenants $true
       
    # Creating the Service Principal for the application
    $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
   
    Write-Host "Assigning Permissions" -ForegroundColor Yellow
     
    # Assign application permissions to the application
    foreach ($app in $requiredResourcesAccess) {
        $reqAppSP = $rsps | Where-Object {$_.appid -contains $app.ResourceAppId}
        Write-Host "Assigning Application permissions for $($reqAppSP.displayName)" -ForegroundColor DarkYellow
        foreach ($resource in $app.ResourceAccess) {
            if ($resource.Type -match "Role") {
                New-AzureADServiceAppRoleAssignment -ObjectId $serviceprincipal.ObjectId `
                    -PrincipalId $serviceprincipal.ObjectId -ResourceId $reqAppSP.ObjectId -Id $resource.Id
            }
        }
    }
     
    # This provides the application with access to your customer tenants.
    $group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
    Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $servicePrincipal.ObjectId
 
    Write-Host "App Created" -ForegroundColor Green
     
    # Define parameters for Microsoft Graph access token retrieval
    $client_id = $aadApplication.AppId;
    $client_secret = $appkey.Value
    $tenant_id = (Get-AzureADTenantDetail).ObjectId
    $resource = "https://graph.microsoft.com"
    $authority = "https://login.microsoftonline.com/$tenant_id"
    $tokenEndpointUri = "$authority/oauth2/token"
   
    # Get the access token using grant type password for Delegated Permissions or grant type client_credentials for Application Permissions
   
    $content = "grant_type=client_credentials&client_id=$client_id&client_secret=$client_secret&resource=$resource"
   
    # Try to execute the API call 6 times
   
    $Stoploop = $false
    [int]$Retrycount = "0"
    do {
        try {
            $response = Invoke-RestMethod -Uri $tokenEndpointUri -Body $content -Method Post -UseBasicParsing
            Write-Host "Retrieved Access Token" -ForegroundColor Green
            # Assign access token
            $access_token = $response.access_token
            $body = $null
   
            $body = Invoke-RestMethod `
                -Uri $UriForApplicationPermissionCall `
                -Headers @{"Authorization" = "Bearer $access_token"} `
                -ContentType "application/json" `
                -Method GET  `
   
            Write-Host "Retrieved Graph content" -ForegroundColor Green
            $Stoploop = $true
        }
        catch {
            if ($Retrycount -gt 5) {
                Write-Host "Could not get Graph content after 6 retries." -ForegroundColor Red
                $Stoploop = $true
            }
            else {
                Write-Host "Could not get Graph content. Retrying in 5 seconds..." -ForegroundColor DarkYellow
                Start-Sleep -Seconds 5
                $Retrycount ++
            }
        }
    }
    While ($Stoploop -eq $false)
   
    $appInfo = [pscustomobject][ordered]@{
        ApplicationName        = $ApplicationName
        TenantName             = $tenantName
        TenantId               = $tenant_id
        clientId               = $client_id
        clientSecret           = $client_secret
        ApplicationPermissions = $ApplicationPermissions
    }
       
    $AppInfo | Export-Csv C:\temp\AzureADApp.csv -Append -NoTypeInformation
}
else {
    Write-Host "Microsoft Graph Service Principal could not be found or created" -ForegroundColor Red
}

Sync customer Azure AD risk events with a SharePoint List using PowerShell

Once you have created an application with access to your own, and your customers’, Azure AD Risk events, you can set up a regular sync of the risk events into a SharePoint list.

How to sync customer Azure AD risk events with a SharePoint List

  1. Double click the below script to select it
  2. Copy and paste it into Visual Studio Code
  3. Save it with a .ps1 extension
  4. Paste the Client ID and Secret generated by the previous script into the $ClientID and $Secret variables.
  5. Press F5 to run it and wait for it to completeSyncing Azure AD Risk Events with SharePoint
  6. You should now have a SharePoint list in your root SharePoint team site called Risk Event Register containing any risk events from your customer tenants. You can find this list under Site Contents.Azure Active Directory Risk Event Register on SharePoint List
  7. Once you are happy with the script you can set it up to run on a schedule using the tool of your choice – such as Azure Runbooks, Timer Triggered Azure Functions, Scheduled Tasks etc.

Script to sync customers Azure AD risk events with a SharePoint list using PowerShell and the Microsoft Graph

$appId = "ENTERCLIENTIDHERE"
$secret = "ENTERCLIENTSECRETHERE"
$ourTenantId = "ENTERYOURTENANTIDHERE"
$tenantName = "ENTERYOURCOMPANYNAMEHERE"
$tenantDomain = "ENTERANYOFYOURDOMAINSHERE"
$ListName = "Risk Event Register"
$siteid = "root"
$graphBaseUri = "https://graph.microsoft.com/v1.0"

function Get-GCITSAccessToken($appCredential, $tenantId) {
    $client_id = $appCredential.appID
    $client_secret = $appCredential.secret
    $tenant_id = $tenantid
    $resource = "https://graph.microsoft.com"
    $authority = "https://login.microsoftonline.com/$tenant_id"
    $tokenEndpointUri = "$authority/oauth2/token"
    $content = "grant_type=client_credentials&client_id=$client_id&client_secret=$client_secret&resource=$resource"
    $response = Invoke-RestMethod -Uri $tokenEndpointUri -Body $content -Method Post -UseBasicParsing
    $access_token = $response.access_token
    return $access_token
}

function Get-GCITSMSGraphResource($Resource) {
    $graphBaseUri = "https://graph.microsoft.com/beta"
    $values = @()
    $result = Invoke-RestMethod -Uri "$graphBaseUri/$resource" -Headers $headers
    if ($result.value) {
        $values += $result.value
        if ($result."@odata.nextLink") {
            do {
                $result = Invoke-RestMethod -Uri $result."@odata.nextLink" -Headers $headers
                $values += $result.value
            } while ($result."@odata.nextLink")
        }
    }
    else {
        $values = $result
    }
    return $values
}
function New-GCITSSharePointColumn($Name, $Type, $Indexed, $lookupListName, $lookupColumnPrimaryName, $lookupColumnName, $longText) {
    if ($longText) {
        $column = [ordered]@{
            name    = $Name
            indexed = $Indexed
            $Type   = @{
                maxLength          = 0
                allowMultipleLines = $True
                #appendChangesToExistingText = $False
                #linesForEditing             = 6
                #textType                    = "plain"
            }
            
        }  
    }
    else {
        $column = [ordered]@{
            name    = $Name
            indexed = $Indexed
            $Type   = @{ }
        }
     
        if ($lookupListName -and $type -contains "lookup") {
            $list = Get-GCITSSharePointList -ListName $lookupListName
            if ($list) {
                $column.lookup.listId = $list.id
                $column.lookup.columnName = $lookupColumnName
            }
        }
    }

    return $column
}
function New-GCITSSharePointList ($Name, $ColumnCollection) {
    $list = @{
        displayName = $Name
        columns     = $columnCollection
    } | Convertto-json -Depth 10
      
    $newList = Invoke-RestMethod `
        -Uri "$graphBaseUri/sites/$siteid/lists/" `
        -Headers $SPHeaders `
        -ContentType "application/json" `
        -Method POST -Body $list
    return $newList
}
 
function Remove-GCITSSharePointList ($ListId) {
    $removeList = Invoke-RestMethod `
        -Uri "$graphBaseUri/sites/$siteid/lists/$ListId" `
        -Headers $SPHeaders `
        -ContentType "application/json" `
        -Method DELETE
    return $removeList
}
 
function Remove-GCITSSharePointListItem ($ListId, $ItemId) {
    $removeItem = Invoke-RestMethod `
        -Uri "$graphBaseUri/sites/$siteid/lists/$ListId/items/$ItemId" `
        -Headers $SPHeaders `
        -ContentType "application/json" `
        -Method DELETE
    return $removeItem
}
 
function New-GCITSSharePointListItem($ItemObject, $ListId) {
 
    $itemBody = @{
        fields = $ItemObject
    } | ConvertTo-Json -Depth 10
 
    $listItem = Invoke-RestMethod `
        -Uri "$graphBaseUri/sites/$siteid/lists/$listId/items" `
        -Headers $SPHeaders `
        -ContentType "application/json" `
        -Method Post `
        -Body $itemBody
}
 
function Get-GCITSSharePointListItem($ListId, $ItemId, $Query) {
 
    if ($ItemId) {
        $listItem = Invoke-RestMethod -Uri $graphBaseUri/sites/$siteid/lists/$listId/items/$ItemId `
            -Method Get -headers $SPHeaders `
            -ContentType application/json
        $value = $listItem
    }
    elseif ($Query) {
        $listItems = $null
        $listItems = Invoke-RestMethod -Uri "$graphBaseUri/sites/$siteid/lists/$listId/items/?expand=fields&`$filter=$Query" `
            -Method Get -headers $SPHeaders `
            -ContentType application/json  
        $value = @()
        $value = $listItems.value
        if ($listitems."@odata.nextLink") {
            $nextLink = $true
        }
        if ($nextLink) {
            do {
                $listItems = Invoke-RestMethod -Uri  $listitems."@odata.nextLink"`
                    -Method Get -headers $SPHeaders `
                    -ContentType application/json
                $value += $listItems.value
                if (!$listitems."@odata.nextLink") {
                    $nextLink = $false
                }
            } until (!$nextLink)
        }
    }
    else {
        $listItems = $null
        $listItems = Invoke-RestMethod -Uri $graphBaseUri/sites/$siteid/lists/$listId/items?expand=fields `
            -Method Get -headers $SPHeaders `
            -ContentType application/json  
        $value = @()
        $value = $listItems.value
        if ($listitems."@odata.nextLink") {
            $nextLink = $true
        }
        if ($nextLink) {
            do {
                $listItems = Invoke-RestMethod -Uri  $listitems."@odata.nextLink"`
                    -Method Get -headers $SPHeaders `
                    -ContentType application/json
                $value += $listItems.value
                if (!$listitems."@odata.nextLink") {
                    $nextLink = $false
                }
            } until (!$nextLink)
        }
    }
    return $value
}
 
function Set-GCITSSharePointListItem($ListId, $ItemId, $ItemObject) {
    $listItem = Invoke-RestMethod -Uri $graphBaseUri/sites/$siteid/lists/$listId/items/$ItemId/fields `
        -Method Patch -headers $SPHeaders `
        -ContentType application/json `
        -Body ($itemObject | ConvertTo-Json)
    $return = $listItem
}

function Get-GCITSSharePointList($ListName) {
    $list = Invoke-RestMethod `
        -Uri "$graphBaseUri/sites/$siteid/lists?expand=columns&`$filter=displayName eq '$ListName'" `
        -Headers $SPHeaders `
        -ContentType "application/json" `
        -Method GET
    $list = $list.value
    return $list
}

$appCredential = @{
    AppId  = $appid
    Secret = $secret
}


$accessToken = Get-GCITSAccessToken -appCredential $appCredential -tenantId $ourTenantId
$SPHeaders = @{Authorization = "Bearer $accesstoken" }

$headers = @{
    Authorization = "Bearer $accesstoken"
}

$customers = @()
$customers += @{
    customerid        = $ourtenantid
    defaultDomainName = $tenantDomain
    displayName       = $tenantName
}
$customers += Get-GCITSMSGraphResource -Resource contracts
$existingItems = $null

$commonProperties = "Customer", "TenantId", "userDisplayName", "userPrincipalName", "riskEventDateTime", "riskEventDetails", "riskEventStatus", "userId", "riskLevel", "riskEventType", "createdDateTime", "closedDateTime", "riskEventId"

$list = Get-GCITSSharePointList -ListName $listName
if (!$list) {
    $columnCollection = @()
    foreach ($property in $commonProperties) {
        $type = "text"
        $indexed = $true
        if ($property -like "*DateTime") {
            $type = "dateTime"
            $indexed = $true
        }
        if ($property -eq "riskEventDetails") {
            $longText = $true
            $indexed = $false
        }
        else { $longText = $false }
        $columnCollection += New-GCITSSharePointColumn -Name $property -Type $type -Indexed $indexed -longText $longText
    }
    $list = New-GCITSSharePointList -Name $listName -ColumnCollection $columnCollection
}
else {
    $existingItems = Get-GCITSSharePointListItem -ListId $list.id
}



foreach ($customer in $customers) {
    Write-Host $customer.displayName
    $tenant_id = $customer.customerid
    $accessToken = Get-GCITSAccessToken -appCredential $appCredential -tenantId $tenant_id
    $headers = @{
        Authorization = "Bearer $accessToken"
    }
    try {
        $identityRiskEvents = $null
        $identityRiskEvents = Get-GCITSMSGraphResource -Resource identityRiskEvents
    }
    catch {
        Write-Host "Likely not licensed for Identity Protection"
    }
    
    if ($identityRiskEvents -and $identityRiskEvents.riskEventType) {
        $objectArray = @()
        foreach ($riskEvent in $identityRiskEvents) {
            $riskEventId = $riskEvent.id
            $riskEvent.PSObject.Properties.Remove('id')
            $riskEvent | Add-Member riskEventId $riskEventId

            $members = $riskEvent | Get-Member | Where-Object { $_.membertype -ne "Method" -and $_.name -ne "@odata.type" }
            $object = [pscustomobject][ordered]@{ }
            $object | Add-Member Title "$($riskEvent.riskEventType) - $($customer.displayName)"
            $object | Add-Member Customer $customer.displayName
            $object | Add-Member TenantId $customer.customerId
            $riskEventDetails = @()
            foreach ($member in ($members | Where-Object { $_.name -notmatch "Customer" -and $_.name -notmatch "TenantId" })) {
                if ($commonProperties -contains $member.name) {
                    if ($member.name -ne "id") {
                        if ($member.name -like "*DateTime") {
                            try {
                                $dateTime = [DateTime]$riskevent.($member.name)
                                $object | Add-Member $member.name $dateTime
                            }
                            catch { }
                        }
                        else {
                            $object | Add-Member $member.name $riskevent.($member.name)
                        }
                    }
                    else {
                        $object | Add-Member riskEventId $riskevent.id
                    }
                }
                else {
                    if ($member.definition -match "Object\[\] " -or $member.Definition -match "System.Management.Automation.PSCustomObject") {
                        $subMembers = $riskEvent.($member.name) | get-member | Where-Object { $_.membertype -ne "Method" }
                        $stringArray = @()
                        foreach ($subMember in $subMembers) {
                            $stringArray += "`t$($subMember.name): $($riskEvent.$($member.name).$($subMember.name))"
                        }
                        $stringArray = $stringArray -join "`n"
                        $riskEventDetails += "$($member.name): `n$stringArray"
                    }
                    else {
                        $riskEventDetails += "$($member.name): $($riskEvent.$($member.name))"
                    }
                }
            }
            $riskEventDetails = $riskEventDetails -join "`n"
            $object | Add-Member riskEventDetails $riskEventDetails
            $objectArray += $object
        }

        foreach ($object in $objectArray) {
            if ($existingItems.fields.riskEventId -contains $object.riskEventId) {
                $match = $existingItems | Where-Object { $_.fields.riskEventId -eq $object.riskEventId }
                Write-Host "Updating SharePoint list item"
                Set-GCITSSharePointListItem -ListId $list.id -ItemId $match.id -ItemObject $object
            }
            else {
                Write-Host "Adding SharePoint list item"
                New-GCITSSharePointListItem -ListId $list.id -ItemObject $object
            }
        }
    }
}

Getting alerted to new Azure AD Risk Events in customer tenants

  1. Navigate to your new Risk Event Register in your root SharePoint Team Site via Site Contents
  2. Click the three dots, then Alert meSet Up Azure AD Risk Event Alert
  3. Specify the person, group or external address who should be receiving the alerts
  4. Request an alert when New items are added and choose to Send notification immediatelyGet Alerts On Azure AD Risk Events

 

 

Was this article helpful?

Related Articles

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *