Cloud Administration Retrieve High-Risk User List API Version 2
Use the Cloud Administration Retrieve High-Risk User List API to retrieve users who have been marked as high risk. Accounts for these users may have been compromised. A security information and event management (SIEM) solution, such as NetWitness, may mark users with suspicious activity as high risk. For more information, see Determining Access Requirements for High-Risk Users in Cloud Access Service.
For Version 1 of this API, see Cloud Administration Retrieve High-Risk User List API.
Note: This API is licensed. See ID Plus Subscription Plans.
For information about managing access to this API, see Accessing the Cloud Administration APIs.
Authentication
Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration REST APIs.
Software Developer Kit
You can download the API Software Developer Kit (SDK) from Cloud Administration REST API Download.
Request Requirements
Use the following information to retrieve a list of users who are marked as high risk.
| Method | Request URL | Response Content Type | Response Body | Response Codes |
|---|---|---|---|---|
| GET |
/AdminInterface/restapi/v2/users/highrisk | application/json | List of users that contains a high-risk flag set to true. | 200, 403, 429, 500 |
Request Body Parameters
No query parameters are supported at this time.
Example Request Body
The following example displays a request.
GET /AdminInterface/restapi/v2/users/highrisk
No Body
Authorization: Bearer <JWT token>
Example Response Body
The following example displays a response body.
{
"users": [
{
"email": "user.one@mycompany.com",
"primaryUsername": "user.one",
"alternateUsername":""
},
{
"email": "user.two@mycompany.com",
"primaryUsername": "user.two",
"alternateUsername":""
},
{
"email": "user.three@mycompany.com",
"primaryUsername": "user.three",
"alternateUsername":""
},
]
}
Response Property Descriptions
The following table shows response property descriptions and data types.
| Property | Description | Data Type |
|---|---|---|
| User's email address. | String | |
| primaryUsername | User's primary username. This is sAMAccountName for Active Directory and uid for LDAPv3 directory servers. | String |
| alternateUsername | User's alternate username. This attribute is returned only when the identity source is configured to synchronize this attribute. | String |
Response Codes
The following table shows response codes for this API.
| Code | Description |
|---|---|
| 200 | Operation completed successfully. |
| 403 | Not authorized to perform the request. |
| 429 | Too many requests. |
| 500 | Internal error occurred. |
Related Articles
Cloud Administration Retrieve High-Risk User List API Version 1 Number of Views Cloud Administration Add/Remove High-Risk User API Number of Views Search Users Based on Risk-Based Authentication Settings Number of Views Microsoft Sentinel - RSA Ready Implementation Guide Number of Views List User Group Membership in Reports Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
