Share via

Diagnostic Settings and Logging - AADGraphActivityLogs

Terrance DeJesus 5 Reputation points
2026-05-05T16:48:37.05+00:00

I'm trying to enable AzureADGraphActivityLogs as part of a Microsoft Entra ID diagnostic setting (scope microsoft.aadiam) so I can monitor legacy AAD Graph (graph.windows.net) usage in my tenant. The category is configurable via the API and shows as enabled: true in the diagnostic-settings (Entra ID) response. But after generating documented legacy AAD Graph traffic, zero events of this category are emitted, while every other Entra category in the same diagnostic setting flows correctly.

What I've verified to rule out misconfiguration on my side:

  1. Diagnostic setting state: GET /providers/microsoft.aadiam/diagnosticSettings/...?api-version=2017-04-01-preview returns AzureADGraphActivityLogs with enabled: true and a valid Event Hub destination. All other categories in the same setting (AuditLogs, SignInLogs, MicrosoftGraphActivityLogs, ProvisioningLogs, etc.) emit to the same EH within minutes and those are the control. P1/P2 license is in place; Security Administrator role used to author everything.
  2. The traffic seems like real legacy AAD Graph, not a redirect to Microsoft Graph: Response headers and body shape confirm the legacy endpoint:
x-ms-dirapi-data-contract-version: 1.6
DataServiceVersion: 3.0
X-AspNet-Version: 4.0.30319
Content-Type: application/json; odata=minimalmetadata

{"odata.metadata":"https://graph.windows.net/<tenant>/$metadata#directoryObjects",
 "value":[{"odata.type":"Microsoft.DirectoryServices.User","objectId":"...",
           "objectType":"User", ...}]}

Calls return 200 OK with valid AAD Graph schema; this is not a deprecation redirect. Token audience is https://graph.windows.net, issued via Azure CLI's first-party FoCI client (04b07795-8ddb-461a-bbee-02f9e1bf7b46).

  1. Cross-checked the alternative path. Created a second diagnostic setting routing AzureADGraphActivityLogs + MicrosoftGraphActivityLogs (control) to a Log Analytics workspace. After ~50 minutes, the modern Graph control populated MicrosoftGraphActivityLogs table but the AADGraphActivityLogs table remained empty. Setting since deleted. So the category is silent regardless of destination type.
  2. The traffic also doesn't double-emit to the modern Graph category. The 18 confirmed legacy requests do not appear in MicrosoftGraphActivityLogs either. So AzureADGraphActivityLogs is the only correct destination, and they are not being emitted.

The conspicuous documentation gap:

The schema reference page exists at https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadgraphactivitylogs but the canonical "Logs available for streaming from Microsoft Entra ID" page lists 14+ categories and does not list AzureADGraphActivityLogs at all.

Questions:

  1. Is AzureADGraphActivityLogs currently in private preview / limited rollout, maybe that is why my modern tenant doesn't have events emitting?
  2. If it's GA, what would explain a tenant where the category is configurable but emits zero events while all sibling categories emit correctly?

Any pointers would help a ton, thanks!

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sridevi Machavarapu 32,725 Reputation points Microsoft External Staff Moderator
    2026-05-05T17:17:15.2+00:00

    Hello Terrance DeJesus,

    This does not appear to be a configuration issue. Based on the information you shared, your diagnostic settings and routing are configured correctly.

    Although AzureADGraphActivityLogs can be enabled through the API, it may not emit events even when valid Azure AD Graph (graph.windows.net) traffic is generated. Since other categories such as AuditLogs, SignInLogs, MicrosoftGraphActivityLogs, and ProvisioningLogs are successfully flowing to the same destination, the diagnostic pipeline itself appears to be functioning as expected.

    Azure AD Graph has been deprecated and replaced by Microsoft Graph. The absence of AzureADGraphActivityLogs from the official “Logs available for streaming from Microsoft Entra ID” documentation suggests that this category is not broadly supported for customer telemetry.

    To answer your questions:

    • The category does not appear to be generally available for active telemetry collection.
    • While it can still be configured through the API, event generation may not occur in all tenants.

    As an alternative, you can use Sign-in Logs, Audit Logs, or monitor traffic to graph.windows.net through your network tooling to identify applications still using Azure AD Graph. Migrating those applications to Microsoft Graph is recommended, as Microsoft Graph activity logging is fully supported.

    Overall, the behavior you observed appears to be a platform limitation rather than an issue with your tenant configuration.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.