Why is the Office 365 Management Activity API returning such old entries?

Manuel K 1 Reputation point
2022-01-18T10:14:15.927+00:00

We are requesting activity data from the Office 365 Management Activity API as follows: 

https://manage.office.com/api/v1.0/34f0717f-f1a0-4894-b310-d379993504b9/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2022-01-15T05:28:29&endTime=2022-01-16T05:28:29

We understand that the contentCreated date can be different from the CreationTime of the activity, but how is it possible that activities are returned that are many months old?

Here is an example: 

{
    "CreationTime": "2021-05-25T08:10:02",
    "Id": "e31aaa92-ac91-438c-b7cb-c86c7e9810ee",
    "Operation": "Update group.",
    "OrganizationId": "34f0717f-f1a0-4894-b310-d379993504b9",
    "RecordType": 8,
    "ResultStatus": "Success",
    "UserKey": "[REDACTED]",
    "UserType": 0,
    "Version": 1,
    "Workload": "AzureActiveDirectory",
    "ObjectId": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
    "UserId": "[REDACTED]",
    "AzureActiveDirectoryEventType": 1,
    "ExtendedProperties": [
      {
        "Name": "additionalDetails",
        "Value": "{\"GroupType\":\"\"}"
      },
      {
        "Name": "extendedAuditEventCategory",
        "Value": "Group"
      }
    ],
    "ModifiedProperties": [
      {
        "Name": "LastDirSyncTime",
        "NewValue": "[\r\n  \"2021-05-25T08:10:02Z\"\r\n]",
        "OldValue": "[\r\n  \"2021-05-25T07:40:00Z\"\r\n]"
      },
      {
        "Name": "Included Updated Properties",
        "NewValue": "LastDirSyncTime",
        "OldValue": ""
      },
      {
        "Name": "Action Client Name",
        "NewValue": "DirectorySync",
        "OldValue": ""
      },
      {
        "Name": "TargetId.GroupType",
        "NewValue": "",
        "OldValue": ""
      }
    ],
    "Actor": [
      {
        "ID": "[REDACTED]",
        "Type": 5
      },
      {
        "ID": "10032000A85B4A27",
        "Type": 3
      },
      {
        "ID": "User_e8a33e0e-8b2f-49c0-a8e9-eed902569804",
        "Type": 2
      },
      {
        "ID": "e8a33e0e-8b2f-49c0-a8e9-eed902569804",
        "Type": 2
      },
      {
        "ID": "User",
        "Type": 2
      }
    ],
    "ActorContextId": "34f0717f-f1a0-4894-b310-d379993504b9",
    "InterSystemsId": "31e7a822-86cb-4662-9b4a-3dbc5dbdc013",
    "IntraSystemId": "195b6497-f096-43e9-a7b6-afbaa0bd3300",
    "SupportTicketId": "",
    "Target": [
      {
        "ID": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
        "Type": 2
      },
      {
        "ID": "5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
        "Type": 2
      },
      {
        "ID": "Group",
        "Type": 2
      },
      {
        "ID": "[REDACTED]",
        "Type": 1
      }
    ],
    "TargetContextId": "34f0717f-f1a0-4894-b310-d379993504b9"
}

We are requesting data from January 2022 and receive pretty standard entries from May 2021. How is this possible?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,504 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 66,326 Reputation points MVP
    2022-01-18T11:04:16.41+00:00

    It's not uncommon for them to "backfill" some missing data, but 8 months old seems a bit excessive indeed.

    1 person found this answer helpful.