Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph.security
Perform actions such as revoking accounts and forcing password reset for identity accounts that are observed in Microsoft Defender for Identity. This action allows reading and performing identity security actions on behalf of the signed-in identity.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ❌ | ❌ | ❌ |
Permissions
One of the following permissions is required to call this API. Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Permissions (least privileged listed first) |
|---|---|
| Delegated (work or school account) | SecurityIdentitiesActions.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | SecurityIdentitiesActions.ReadWrite.All |
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. Security Administrator is the least privileged role supported for this operation.
HTTP request
POST /security/identities/identityAccounts/{identityAccountsId}/invokeAction
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Request body
In the request body, supply a JSON representation of the parameters.
The following table lists the parameters that are required when you call this action.
| Parameter | Type | Description |
|---|---|---|
| accountId | String | The identifier of the account to perform the action on. |
| action | microsoft.graph.security.action | The type of action to perform on the account. The possible values are: disable, enable, forcePasswordReset, revokeAllSessions, requireUserToSignInAgain, markUserAsCompromised. |
| identityProvider | microsoft.graph.security.identityProvider | The identity provider associated with the account. The possible values are: entraID, activeDirectory, okta. |
The following table shows the identity providers supported for each action value type:
| Action Value | Description | Supported identity providers |
|---|---|---|
| Disable | Disable account. The account is unable to authenticate. If the account recently logged in, it doesn't have access to resources. | activeDirectory, okta |
| Enable | Enable account. | activeDirectory, okta |
| ForcePasswordReset | Force password reset of the account. | activeDirectory |
| RevokeAllSessions | Revoke all of active sessions for the account. | okta |
Response
If successful, this action returns a 200 OK response code and a invokeActionResult in the response body.
Examples
Request
The following example shows a request.
POST https://graph.microsoft.com/v1.0/security/identities/identityAccounts/0104216-0539-4838-88b1-55baafdc296b/invokeAction
Content-Type: application/json
{
"accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
"action": "disable",
"identityProvider": "activeDirectory"
}
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"value":
{
"accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
"action": "disable",
"provider": "activeDirectory",
"correlationId": "ed2f052b-2a01-4cd9-acb3-f6145f83e1a5"
}
}
Note
Actions related to Entra ID are not covered in the current scope.