Graph Security Action Block
What it does: Access Microsoft Graph Security API to retrieve secure scores and manage security control profiles as part of your workflow automation.
In simple terms: Automate security monitoring -- retrieve your organization's security scores, review control profiles, and update security configurations from workflows.
When to Use This
Use the Graph Security action when you need to:
- ✅ Monitor your organization's security posture through secure scores
- ✅ Automate security compliance reporting and alerting
- ✅ Track security control profile changes over time
- ✅ Update security control profiles based on remediation workflows
- ✅ Integrate security data into dashboards and notification systems
Example: Run a daily workflow that checks the organization's secure score and sends a Slack notification to the security team if the score drops below a threshold.
Features
- OAuth2 Authentication: Secure Microsoft identity platform connection
- Secure Score Retrieval: Get current and historical security scores
- Control Profiles: Read and update security control profile configurations
- Bulk Queries: Retrieve all scores or profiles with optional filters
- Variable Support: Use workflow variables for dynamic thresholds and filters
Setup
1. Connect Your Microsoft Account
- Click Connect Microsoft Account in the block settings
- Sign in with a Microsoft 365 account that has Security Administrator privileges
- Grant the requested permissions (SecurityEvents.ReadWrite.All)
- Your account will be linked securely via OAuth2
The Graph Security block requires the SecurityEvents.ReadWrite.All permission scope. This is a high-privilege scope that must be approved by your Global Administrator through Azure Portal admin consent. Read-only operations still require the ReadWrite scope for full compatibility.
2. Configure Settings
- Select the desired Action from the dropdown
- Provide the resource ID (for single-item retrieval) or filters (for bulk queries)
- Map response values to workflow variables for downstream use
Supported Actions
Secure Score Operations
| Action | Description |
|---|---|
| Get Secure Score | Retrieve a specific secure score entry by ID |
| Get All Secure Scores | List all secure score entries with optional date range and filters |
Control Profile Operations
| Action | Description |
|---|---|
| Get Control Profile | Retrieve a specific security control profile by ID |
| Get All Control Profiles | List all security control profiles in the tenant |
| Update Control Profile | Modify a control profile's state or vendor information |
Using Variables
You can use workflow variables in Graph Security fields:
Get Secure Score:
Score ID: {{security.scoreId}}Get All Secure Scores (Filter):
createdDateTime ge {{date.thirtyDaysAgo}}Update Control Profile:
Control Profile ID: {{security.controlId}}
State: {{remediation.newState}}
Comment: Remediated by {{remediation.assignee}} on {{date.now}}Response Mapping
Map results from Graph Security actions to workflow variables:
Available Values (Secure Score):
- Score ID: Unique identifier for the score entry
- Current Score: The organization's current security score (numeric)
- Max Score: Maximum possible score
- Average Comparative Score: Industry average for comparison
- Control Scores: Breakdown of scores by individual controls
- Created Date: When the score was calculated
- Enabled Services: Microsoft services contributing to the score
Available Values (Control Profile):
- Control Profile ID: Unique identifier
- Title: Human-readable control name
- Control Category: Category of the security control
- Action Type: The type of action the control represents
- State: Current state of the control (Default, Ignored, ThirdParty, Reviewed)
- Max Score: Maximum points for this control
- Vendor Information: Details about the control vendor
- Compliance Information: Regulatory compliance mappings
Example Mapping:
Current Score → {{security.currentScore}}
Max Score → {{security.maxScore}}
Control State → {{security.controlState}}Common Use Cases
1. Daily Security Score Monitoring
Trigger: Schedule (Every day at 8 AM) Graph Security Action: Get All Secure Scores
Filter: Latest score entryCondition: If score < threshold Notification: Send alert to security team
Subject: Security Score Alert - Score dropped to {{security.currentScore}}/{{security.maxScore}}
Body: Your organization's Microsoft Secure Score is {{security.currentScore}} out of {{security.maxScore}}.2. Weekly Compliance Report
Trigger: Schedule (Every Monday) Graph Security Action: Get All Secure Scores + Get All Control Profiles
Compile report with:
- Current score trend (last 7 entries)
- Controls below target state
- Remediation recommendationsThen email the report or upload to SharePoint.
3. Control Profile Remediation Tracking
Trigger: Security team marks a control as remediated Graph Security Action: Update Control Profile
Control Profile ID: {{remediation.controlId}}
State: Reviewed
Vendor Information:
Provider: {{org.securityProvider}}
Provider Version: {{org.providerVersion}}4. Score Threshold Alerting
Trigger: Schedule (Hourly) Graph Security Action: Get All Secure Scores Condition: Current score percentage < 70% Action: Create task in Microsoft To Do + send Slack alert
Alert: Security score at {{security.scorePercentage}}% - below 70% thresholdBest Practices
Security Monitoring
- ✅ Set up regular (daily or weekly) score monitoring workflows
- ✅ Define clear score thresholds that trigger alerts
- ✅ Track score trends over time rather than reacting to single data points
- ✅ Correlate score changes with recent infrastructure or policy changes
Control Management
- ✅ Review all control profiles before updating states
- ✅ Document the reason for any state changes in the comment field
- ✅ Use the ThirdParty state for controls managed by external security tools
- ✅ Periodically review Ignored controls to ensure they are still applicable
Security
- ✅ Limit access to Graph Security workflows to authorized security personnel
- ✅ Log all control profile updates for audit purposes
- ✅ Use dedicated service accounts for security API operations
- ✅ Do not expose detailed security scores in user-facing applications
Troubleshooting
Cannot Retrieve Secure Scores
Check:
- Your Microsoft account has Security Administrator or Security Reader role
- The SecurityEvents.ReadWrite.All scope has been admin-consented
- Your Microsoft 365 tenant has Microsoft Secure Score enabled
- The OAuth token has not expired -- try reconnecting
Control Profile Update Fails
Solutions:
- Verify the control profile ID is correct (use Get All Control Profiles to discover IDs)
- Ensure you are providing valid state values (Default, Ignored, ThirdParty, Reviewed)
- Check that your account has write permissions (Security Administrator role)
- Vendor information fields must follow the expected format
Empty Score Results
Check:
- Your tenant must have active Microsoft 365 services contributing to Secure Score
- New tenants may not have historical score data yet
- Date filters may be too restrictive -- widen the date range
Limitations
- Score History: Secure Score history is retained for 90 days by Microsoft
- Update Scope: Only control profile states and vendor information can be updated; scores are read-only
- Real-Time Data: Scores are calculated periodically by Microsoft, not in real-time
- Tenant-Level: Secure scores are tenant-wide and cannot be scoped to individual users or departments
- API Rate Limits: Microsoft Graph API throttling applies
Tip: Combine Graph Security with Excel 365 to build a historical security score dashboard -- append each day's score to a tracking spreadsheet for trend analysis.
Related Blocks
- Entra ID: Manage users and groups referenced in security controls
- Microsoft To Do: Create remediation tasks from security findings
- Slack: Send security alerts to team channels
- Excel 365: Track security scores in spreadsheets
- Condition: Add threshold-based logic to security workflows