Edit

Share via

identityAccounts: invokeAction

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Perform actions such as revoking accounts and forcing password reset for identity accounts that are observed in Microsoft Defender for Identity. This action allows reading and performing identity security actions on behalf of the signed-in identity.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

One of the following permissions is required to call this API. Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Permissions (least privileged listed first)
Delegated (work or school account) SecurityIdentitiesActions.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application SecurityIdentitiesActions.ReadWrite.All

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. Security Administrator is the least privileged role supported for this operation.

HTTP request

POST /security/identities/identityAccounts/{identityAccountsId}/invokeAction

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the parameters.

The following table lists the parameters that are required when you call this action.

Parameter Type Description
accountId String The identifier of the account to perform the action on.
action microsoft.graph.security.action The type of action to perform on the account. The possible values are: disable, enable, forcePasswordReset, revokeAllSessions, requireUserToSignInAgain, markUserAsCompromised.
identityProvider microsoft.graph.security.identityProvider The identity provider associated with the account. The possible values are: entraID, activeDirectory, okta.

The following table shows the identity providers supported for each action value type:

Action Value Description Supported identity providers
Disable Disable account. The account is unable to authenticate. If the account recently logged in, it doesn't have access to resources. activeDirectory, okta
Enable Enable account. activeDirectory, okta
ForcePasswordReset Force password reset of the account. activeDirectory
RevokeAllSessions Revoke all of active sessions for the account. okta

Response

If successful, this action returns a 200 OK response code and a invokeActionResult in the response body.

Examples

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/security/identities/identityAccounts/0104216-0539-4838-88b1-55baafdc296b/invokeAction
Content-Type: application/json

{
  "accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
  "action": "disable",
  "identityProvider": "activeDirectory"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": 
    {
      "accountId": "256db173-930a-4991-9061-0d51a9a93ba5",
      "action": "disable",
      "provider": "activeDirectory",
      "correlationId": "ed2f052b-2a01-4cd9-acb3-f6145f83e1a5"
    }
}

Note

Actions related to Entra ID are not covered in the current scope.