Share via

How do I get Microsoft 365 audit log activities using the Office 365 Management Activity API?

Netanel Stern 20 Reputation points
2025-12-21T06:42:56.9066667+00:00

Question: How do I actually do the “activities” in Microsoft 365 Compliance Audit Log via the Office 365 Management Activity API?

I’m reading this Microsoft blog post:

Microsoft 365 Compliance audit log activities via O365 Management API – Part 1 (https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-365-compliance-audit-log-activities-via-o365-management-api---part-1/2957171)

The post talks about “audit log activities” and using the Office 365 Management Activity API (O365 Management API), but I don’t understand what I’m supposed to do to get those activities.

Specifically, I’m confused about the end-to-end process:

Do I need to create/trigger “activities” somehow, or do Microsoft 365 services generate them automatically?

What are the exact steps needed to start receiving audit records via the API?

enable unified audit logging?

  register an Entra ID (Azure AD) app?

  
     assign permissions/roles?

     
        create a subscription per content type (e.g., `Audit.Exchange`, `Audit.SharePoint`, `Audit.AzureActiveDirectory`, `Audit.General`, `DLP.All`)?

        
        After subscribing, how do I retrieve data?

        
           do I query for “content blobs” first?

           
              then download each blob and parse JSON events inside?

              
              How do I know which **content types** I should subscribe to for common scenarios (login events, SharePoint file access, Exchange admin actions, etc.)?

              
              Are there any common “gotchas” (no data returned, wrong permissions, audit not enabled, throttling/latency)?
```I’m looking for a clear explanation (or minimal example flow) of how to go from **zero** to successfully retrieving audit log events through the Office 365 Management Activity API, because right now I don’t know what actions I’m expected to perform to “get” those activities.
Microsoft 365 and Office | Development | Other
0 comments
Answer accepted by question author
  1. Kha-N 8,260 Reputation points Microsoft External Staff Moderator
    2025-12-22T01:27:34.5733333+00:00

    Hi @Netanelstern,

    Welcome to Microsoft Q&A, and thank you very much for reaching out to us.

    Your questions content was initially duplicated. We deleted the duplicated part to make this clearer.

    Based on your description, and in addition to the Q&A assist suggestions you’ve already received, I’d like to provide some further clarification on your questions:

    Do you need to create or trigger audit activities?

    Based on my research and testing, you don't. Microsoft 365 services generate audit events automatically whenever users, administrators, or the system itself performs actions.

    For example, in my testing environment, if I want to audit a user’s search activity in SharePoint or Outlook, the user simply performs the search action.

    User's image

    Then, in Microsoft Purview >Solution > Audit, I review the corresponding audit activity that Microsoft 365 generated automatically.
    User's image

    The API simply gives you programmatic access to the same audit events that already appear in the Purview Audit portal.

    To start receiving audit records using the Office 365 Management Activity API:

    First, per Microsoft’s documentation on get started with Office 365 Management Activity API, you must ensure Unified Audit Logging is enabled. If it’s not enabled, the Management Activity API will return no audit data.

    User's image

    Kindly note that You need the Audit Logs role (via Exchange Online role groups) to turn auditing on or off.

    To check, first, ensure you have Exchange Online PowerShell installed and ExchangeOnline module imported, then connect to Security & Compliance PowerShell through this command:

    Connect-IPPSSession

    Sign in to your account, then run this command below to check whether Unified Audit Logging is active for the tenant:

    Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

    For more details, you can refer to the Microsoft documentation on verifying Unified Audit Logging here.

    Once auditing is confirmed as enabled, the next step is registering an application in Entra ID (Azure AD). Note that this requires an Azure subscription associated with the Microsoft 365 tenant so the application can obtain the necessary permissions for the Office 365 Management Activity API, for example ActivityFeed.Read, which allow the app to retrieve audit data through the API.

    User's image For more details, including a step‑by‑step guide, you can refer to Register your application in Microsoft Entra ID section on getting started with the Office 365 Management Activity API.

    After the app is registered and the required permissions are granted, you simply subscribe to the audit content types you need. From that point on, the API will begin delivering the audit events that Microsoft 365 generates automatically.

    As for how you know which content types to subscribe to, it depends entirely on the kinds of audit events you want to collect. Microsoft provides five audit content types, each aligned with a specific workload:

    • User logins and Azure AD directory changes > Audit.AzureActiveDirectory
    • SharePoint / OneDrive file access, edits, sharing, and downloads > Audit.SharePoint
    • Exchange mailbox activity (read, delete, rule changes, admin actions) > Audit.Exchange
    • General Microsoft 365 workloads > Audit.General
    • Data Loss Prevention policy matches > DLP.All

    I also came across an external article that also provided this mapping. Feel free to check it out here.

    User's image

    After you subscribe to the content type you need, you can query the API for the available content blobs, then download each one and process the audit data contained inside.

    User's image

    For more details, you can check this Microsoft documentation on Office 365 Management Activity API reference here.

    To avoid common pitfalls or troubleshooting errors, I highly suggest you check on Microsoft Office 365 Management Activity API FAQs here for additional clarity.

    Also, I'm able to find an external article that offers a simplified, step‑by‑step walkthrough from start to finish, I suggest reviewing it to see if it helps clarify things further for you.

    Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above links.

    I hope this helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-21T06:43:14.1333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To retrieve Microsoft 365 audit log activities using the Office 365 Management Activity API, follow these steps:

    1. Enable Unified Audit Logging: Ensure that unified audit logging is enabled for your Microsoft 365 tenant. This is a prerequisite for accessing audit logs.
    2. Register an Entra ID (Azure AD) App: You need to register an application in Azure Active Directory to access the Management Activity API. This will provide you with the necessary credentials to authenticate your requests.
    3. Assign Permissions/Roles: Assign the appropriate permissions to your registered app. You will typically need permissions related to audit log access, such as AuditLog.Read.All.
    4. Create Subscriptions: Create a subscription for each content type you want to monitor. Common content types include:
      • Audit.Exchange
      • Audit.SharePoint
      • Audit.AzureActiveDirectory
      • Audit.General
      • DLP.All This step allows you to specify which activities you want to receive notifications about.
    5. Retrieve Data: After subscribing, you can retrieve data by querying for content blobs. The process generally involves:
      • Querying the API to get a list of content blobs that contain the audit records.
      • Downloading each blob, which will contain JSON events that you can parse to extract the audit log data.
    6. Common Content Types: For common scenarios, you should subscribe to content types that match your needs, such as login events, SharePoint file access, and Exchange admin actions. You can refer to the API documentation for a complete list of available content types.
    7. Common Gotchas: Be aware of potential issues such as:
      • No data returned due to incorrect permissions or audit logging not being enabled.
      • Throttling or latency in receiving data, especially if you are querying large volumes of logs.

    By following these steps, you should be able to successfully retrieve audit log events through the Office 365 Management Activity API.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.