New-MgBetaSecurityAuditLogQuery giving 403 error for Azure App

Question

I'm looking to use the New-MgBetaSecurityAuditLogQuery command to query Exchange mailbox access via an Azure Application, with the required permission granted: AuditLogsQuery.Read.All

I setup the command with the following params:

$SearchParameters = @{
displayName = "Joe Soap"
filterStartDateTime = "2024-07-29T08:28:56Z"
filterEndDateTime = "2024-07-29T12:28:56Z"
recordTypeFilters = @("ExchangeItemAggregated")
operationFilters= @("MailItemsAccessed") }

When I run the command I get a 403 error:

New-MgBetaSecurityAuditLogQuery_Create: {"message":"App:xxxxxx dont have any permissions"}

Answer 1

Hi @DPFY

According to the document, when accessing this endpoint, you need to grant the application the desired permission. As shown in the following table, when you access Exchange, you can grant the application the delegated permission AuditLogsQuery-Exchange.Read.All. Or apply the application permission AuditLogsQuery-Exchange.Read.All.

To use delegated permissions, you need to use auth code flow to get the token and grant the application delegated permissions, see the documentation for details.

To use application permissions, you need to use client credentials flow to obtain the tokens and grant the application permissions at the same time. See this document for details.

It is worth noting that this endpoint uses a beta version, and you need to install a beta version of the SDK.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.