Events
9 Apr, 3 pm - 10 Apr, 12 pm
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowHow to analyze activity logs with Microsoft Graph
The Microsoft Entra reporting APIs provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools.
This article describes how to analyze Microsoft Entra activity logs with Microsoft Graph Explorer and Microsoft Graph PowerShell.
- A working Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 license associated with it.
- To consent to the required permissions, you need the Privileged Role Administrator.
With all the prerequisites configured, you can run activity log queries in Microsoft Graph. The Microsoft Graph API isn't designed for pulling large amounts of activity data. Pulling large amounts of activity data using the API might lead to issues with pagination and performance. For more information on Microsoft Graph queries for activity logs, see Activity reports API overview.
Select your profile and then select Modify permissions.
Consent to the following required permissions:
AuditLog.Read.AllDirectory.Read.All
Use one of the following queries to start using Microsoft Graph for accessing activity logs:
- GET
https://graph.microsoft.com/v1.0/auditLogs/directoryAudits - GET
https://graph.microsoft.com/v1.0/auditLogs/signIns - GET
https://graph.microsoft.com/v1.0/auditLogs/provisioning
- GET
To search for specific activity log entries, use the $filter and createdDateTime query parameters with one of the available properties. Some of the following queries use the beta endpoint. The beta endpoint is subject to change and isn't recommended for production use.
Try using the following queries:
For sign-in attempts where Conditional Access failed:
- GET
https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=conditionalAccessStatus eq 'failure' - Consider using a date filter so the request doesn't time out.
- GET
To find sign-ins to a specific application during a specific time frame:
- GET
https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and appId eq 'APP ID'
- GET
For non-interactive sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'nonInteractiveUser')
- GET
For service principal sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'servicePrincipal')
- GET
For managed identity sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'managedIdentity')
- GET
To get the authentication method of a user:
- GET
https://graph.microsoft.com/beta/users/{userObjectId}/authentication/methods - Requires
UserAuthenticationMethod.Read.Allpermission
- GET
To see the user registration details report:
- GET
https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails - Requires
UserAuthenticationMethod.Read.Allpermission
- GET
For the registration details of specific user:
- GET
https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails/{userId} - Requires
UserAuthenticationMethod.Read.Allpermission
- GET
Once you're familiar with the standard sign-in and audit logs, try exploring these other APIs:
You can use PowerShell to access the Microsoft Entra reporting API. For more information, see Microsoft Graph PowerShell overview.
Microsoft Graph PowerShell cmdlets:
- Audit logs:
Get-MgAuditLogDirectoryAudit - Sign-in logs:
Get-MgAuditLogSignIn - Provisioning logs:
Get-MgAuditLogProvisioning - Explore the full list of reporting-related Microsoft Graph PowerShell cmdlets.
Error: Neither tenant is B2C or tenant doesn't have premium license: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.
Error: User isn't in the allowed roles: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the Security Reader or Reports Reader role in your Microsoft Entra tenant.
Error: Application missing Microsoft Entra ID 'Read directory data' or 'Read all audit log data' permission: The application must have either the AuditLog.Read.All or Directory.Read.All permission to access the activity logs with Microsoft Graph.
Additional resources
Training
Module
Monitor and report on authentication methods used in Microsoft Entra ID - Training
This module teaches you how to create a Microsoft Entra workbook that helps you to create a report of the authentication methods used in your tenant.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
-
Microsoft Graph PowerShell monitoring and health cmdlets - Microsoft Entra ID
Reference information for Microsoft Graph PowerShell cmdlets for Microsoft Entra monitoring and health.
-
Analyze a sign-in with the Microsoft Graph API - Microsoft Entra ID
Learn how to access the sign-in log and analyze a single sign-in attempt using the Microsoft Graph API.
-
Audit logs API overview - Microsoft Graph beta
Access audit logs using Microsoft Graph APIs to track user activity in a tenant, integrate with third-party SIEM tools, and remain compliant.