Why is the Office 365 Management Activity API returning such old entries?

Manuel K 1 Reputation point
2022-01-18T10:14:15.927+00:00

We are requesting activity data from the Office 365 Management Activity API as follows:

https://manage.office.com/api/v1.0/34f0717f-f1a0-4894-b310-d379993504b9/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2022-01-15T05:28:29&endTime=2022-01-16T05:28:29

We understand that the contentCreated date can be different from the CreationTime of the activity, but how is it possible that activities are returned that are many months old?

Here is an example:

{
    "CreationTime": "2021-05-25T08:10:02",
    "Id": "e31aaa92-ac91-438c-b7cb-c86c7e9810ee",
    "Operation": "Update group.",
    "OrganizationId": "34f0717f-f1a0-4894-b310-d379993504b9",
    "RecordType": 8,
    "ResultStatus": "Success",
    "UserKey": "[REDACTED]",
    "UserType": 0,
    "Version": 1,
    "Workload": "AzureActiveDirectory",
    "ObjectId": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
    "UserId": "[REDACTED]",
    "AzureActiveDirectoryEventType": 1,
    "ExtendedProperties": [
      {
        "Name": "additionalDetails",
        "Value": "{\"GroupType\":\"\"}"
      },
      {
        "Name": "extendedAuditEventCategory",
        "Value": "Group"
      }
    ],
    "ModifiedProperties": [
      {
        "Name": "LastDirSyncTime",
        "NewValue": "[\r\n  \"2021-05-25T08:10:02Z\"\r\n]",
        "OldValue": "[\r\n  \"2021-05-25T07:40:00Z\"\r\n]"
      },
      {
        "Name": "Included Updated Properties",
        "NewValue": "LastDirSyncTime",
        "OldValue": ""
      },
      {
        "Name": "Action Client Name",
        "NewValue": "DirectorySync",
        "OldValue": ""
      },
      {
        "Name": "TargetId.GroupType",
        "NewValue": "",
        "OldValue": ""
      }
    ],
    "Actor": [
      {
        "ID": "[REDACTED]",
        "Type": 5
      },
      {
        "ID": "10032000A85B4A27",
        "Type": 3
      },
      {
        "ID": "User_e8a33e0e-8b2f-49c0-a8e9-eed902569804",
        "Type": 2
      },
      {
        "ID": "e8a33e0e-8b2f-49c0-a8e9-eed902569804",
        "Type": 2
      },
      {
        "ID": "User",
        "Type": 2
      }
    ],
    "ActorContextId": "34f0717f-f1a0-4894-b310-d379993504b9",
    "InterSystemsId": "31e7a822-86cb-4662-9b4a-3dbc5dbdc013",
    "IntraSystemId": "195b6497-f096-43e9-a7b6-afbaa0bd3300",
    "SupportTicketId": "",
    "Target": [
      {
        "ID": "Group_5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
        "Type": 2
      },
      {
        "ID": "5dae6ae5-831f-4581-bb3b-db8f20c43e6f",
        "Type": 2
      },
      {
        "ID": "Group",
        "Type": 2
      },
      {
        "ID": "[REDACTED]",
        "Type": 1
      }
    ],
    "TargetContextId": "34f0717f-f1a0-4894-b310-d379993504b9"
}

We are requesting data from January 2022 and receive pretty standard entries from May 2021. How is this possible?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,394 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 94,911 Reputation points MVP
    2022-01-18T11:04:16.41+00:00

    It's not uncommon for them to "backfill" some missing data, but 8 months old seems a bit excessive indeed.

    1 person found this answer helpful.
    0 comments No comments