Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are requesting activity data from the Office 365 Management Activity API as follows:
https://manage.office.com/api/v1.0/34f0717f-f1a0-4894-b310-d379993504b9/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2022-01-15T05:28:29&endTime=2022-01-16T05:28:29
We understand that the contentCreated date can be different from the CreationTime of the activity, but how is it possible that activities are returned that are many months old?
Here is an example:
{
"CreationTime": "2021-05-25T08:10:02",
"Id": "e31aaa92-ac91-438c-b7cb-c86c7e9810ee",
"Operation": "Update group.",
"OrganizationId": "34f0717f-f1a0-4894-b310-d379993504b9",
"RecordType": 8,
"ResultStatus": "Success",
"UserKey": "[REDACTED]",
"UserType": 0,
"Version": 1,
"Workload": "AzureActiveDirectory",
"ObjectId": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
"UserId": "[REDACTED]",
"AzureActiveDirectoryEventType": 1,
"ExtendedProperties": [
{
"Name": "additionalDetails",
"Value": "{\"GroupType\":\"\"}"
},
{
"Name": "extendedAuditEventCategory",
"Value": "Group"
}
],
"ModifiedProperties": [
{
"Name": "LastDirSyncTime",
"NewValue": "[\r\n \"2021-05-25T08:10:02Z\"\r\n]",
"OldValue": "[\r\n \"2021-05-25T07:40:00Z\"\r\n]"
},
{
"Name": "Included Updated Properties",
"NewValue": "LastDirSyncTime",
"OldValue": ""
},
{
"Name": "Action Client Name",
"NewValue": "DirectorySync",
"OldValue": ""
},
{
"Name": "TargetId.GroupType",
"NewValue": "",
"OldValue": ""
}
],
"Actor": [
{
"ID": "[REDACTED]",
"Type": 5
},
{
"ID": "10032000A85B4A27",
"Type": 3
},
{
"ID": "User_e8a33e0e-8b2f-49c0-a8e9-eed902569804",
"Type": 2
},
{
"ID": "e8a33e0e-8b2f-49c0-a8e9-eed902569804",
"Type": 2
},
{
"ID": "User",
"Type": 2
}
],
"ActorContextId": "34f0717f-f1a0-4894-b310-d379993504b9",
"InterSystemsId": "31e7a822-86cb-4662-9b4a-3dbc5dbdc013",
"IntraSystemId": "195b6497-f096-43e9-a7b6-afbaa0bd3300",
"SupportTicketId": "",
"Target": [
{
"ID": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
"Type": 2
},
{
"ID": "5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
"Type": 2
},
{
"ID": "Group",
"Type": 2
},
{
"ID": "[REDACTED]",
"Type": 1
}
],
"TargetContextId": "34f0717f-f1a0-4894-b310-d379993504b9"
}
We are requesting data from January 2022 and receive pretty standard entries from May 2021. How is this possible?
It's not uncommon for them to "backfill" some missing data, but 8 months old seems a bit excessive indeed.