Microsoft Entra Id - Directory Audits API

Ron Weasley 0 Reputation points
2024-06-10T12:11:02.0533333+00:00

Hi ,

We wanted to check for the REST API (Directory Audits API) - https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge{} and activityDateTime le {}&$top={} .

  1. Dose it support only one month of time span to fetch the logs.
  2. Some times we have observed that when we set $top=1000 , but still we get results more than 1000.

Also for Sign In and Provisioning logs do we have any time span limitation to fetch the logs?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,125 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP
    2024-06-10T17:42:27.74+00:00

    30 days is the max for Entra ID logs. However, if you are using any O365/M365 service, you can query the unified audit log instead and get more flexibility. The exact details depend on the license. The "default' timespan you can cover is 180 days. If you have the Audit Premium SKU, you can cover any timeframe (though realistically you will not be getting records older than 3-4 years). Refer to the audit documentation for more details: https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal

    Also, this applies only to the Unified audit log. Neither the Entra sign-in log nor provisioning logs offer more than 30 days timespan.

    Also also, not every Entra ID audit event will be copied to the Unified audit log, in general only events affecting objects that affect M365 services are covered.

    0 comments No comments