Untitled

<#

    This script retrieves Azure Active Directory Risk Sign-in Events from the Microsoft Graph API and send an email alert report.
    Only the active events from the last 30 days will be retrieved (that can be modified via the $filter value in uriGraphEndpoint or removed to get all events).
    See the official documentation for more info:
      https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-graph-getting-started
      https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_sendmail

#>

$ClientID = "xx"
$ClientSecret = "xx"
##$ClientID = "xx"
##$ClientSecret = "xx"
$tenantDomain = "xxxxx"


$loginURL = "https://login.microsoft.com"
$resource = "https://graph.microsoft.com"
$body       = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth      = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body

"upn" | Out-File -FilePath "C:\Users\xxxxxx\Desktop\risk.csv"

if ($oauth.access_token -ne $null) {

    $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

    [uri]$uriGraphEndpoint = [uri]$uriGraphEndpoint = "https://graph.microsoft.com/beta/identityRiskEvents?`$filter=createdDateTime gt $(Get-Date -date (Get-Date).AddHours(-1).ToUniversalTime() -Format o) and riskEventStatus eq 'active' and riskEventType eq 'ImpossibleTravelRiskEvent'"

    $response = Invoke-RestMethod -Method Get -Uri $uriGraphEndpoint.AbsoluteUri -Headers $headerParams

    if ($response.value -ne $null) {

        foreach ( $event in $response.value ) {

        $upn = $event.userPrincipalName

        $upn| Out-File -Append "C:\Users\xxxx\Desktop\risk.csv"

        }

    }
}