New-MgBetaSecurityAuditLogQuery giving 403 error for Azure App

DPFY 116 Reputation points
2024-07-29T13:18:29.45+00:00

I'm looking to use the New-MgBetaSecurityAuditLogQuery command to query Exchange mailbox access via an Azure Application, with the required permission granted: AuditLogsQuery.Read.All

I setup the command with the following params:

$SearchParameters = @{
displayName = "Joe Soap"
filterStartDateTime = "2024-07-29T08:28:56Z"
filterEndDateTime = "2024-07-29T12:28:56Z"
recordTypeFilters = @("ExchangeItemAggregated")
operationFilters= @("MailItemsAccessed") }

When I run the command I get a 403 error:

New-MgBetaSecurityAuditLogQuery_Create: {"message":"App:xxxxxx dont have any permissions"}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,333 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,598 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,620 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Yakun Huang-MSFT 6,730 Reputation points Microsoft Vendor
    2024-07-30T02:41:52.1533333+00:00

    Hi @DPFY

    According to the document, when accessing this endpoint, you need to grant the application the desired permission. As shown in the following table, when you access Exchange, you can grant the application the delegated permission AuditLogsQuery-Exchange.Read.All. Or apply the application permission AuditLogsQuery-Exchange.Read.All.

    User's image

    To use delegated permissions, you need to use auth code flow to get the token and grant the application delegated permissions, see the documentation for details.

    To use application permissions, you need to use client credentials flow to obtain the tokens and grant the application permissions at the same time. See this document for details.

    It is worth noting that this endpoint uses a beta version, and you need to install a beta version of the SDK.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.