List directoryAudits
Namespace: microsoft.graph
Get the list of audit logs generated by Azure Active Directory (Azure AD). This includes audit logs generated by various services within Azure AD, including user, app, device and group Management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (self-service and admin password resets), and self- service group management, and so on.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | AuditLog.Read.All and Directory.Read.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | AuditLog.Read.All and Directory.Read.All |
HTTP request
GET /auditLogs/directoryaudits
Optional query parameters
This method supports the following OData query parameters to help customize the response. For details about how to use these parameters, see OData query parameters.
| Parameter | Description | Example |
|---|---|---|
| $filter | Filters results (rows). | /auditLogs/directoryAudits?&$filter=activityDateTime le 2018-01-24 |
| $top | Sets the page size of results. | /auditLogs/directoryAudits?$top=1 |
| $skiptoken | Retrieves the next page of results from result sets that span multiple pages. | /auditLogs/directoryAudits?$skiptoken=01fa0e77c60c2d3d63226c8e3294c860__1 |
Attributes supported by $filter parameter
| Attribute | Supported operators |
|---|---|
| activityDisplayName | eq, startswith |
| activityDateTime | eq, ge, le |
| loggedByService | eq |
| initiatedBy/user/id | eq |
| initiatedBy/user/displayName | eq |
| initiatedBy/user/userPrincipalName | eq, startswith |
| initiatedBy/app/appId | eq |
| initiatedBy/app/displayName | eq |
| targetResources/any(t: t/id eq '{value}') | eq |
| targetResources/any(t:t/displayName eq '{value}') | eq |
| targetResources/any(x: startswith(x/displayName, '{value}')) | startswith |
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {code} |
Request body
Do not supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a collection of directoryAudit objects in the response body.
Example
Request
The following is an example of the request.
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
Response
The following is an example of the response.
Note: The response object shown here might be shortened for readability.
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditlogs/directoryaudits",
"value": [{
"id": "id",
"category": "UserManagement",
"correlationId": "da159bfb-54fa-4092-8a38-6e1fa7870e30",
"result": "success",
"resultReason": "Successfully added member to group",
"activityDisplayName": "Add member to group",
"activityDateTime": "2018-01-09T21:20:02.7215374Z",
"loggedByService": "Core Directory",
"initiatedBy": {
"user": {
"id": "728309ae-1a37-4937-9afe-e35d964db09b",
"displayName": "Audry Oliver",
"userPrincipalName": "bob@wingtiptoysonline.com",
"ipAddress": "127.0.0.1"
},
"app": null
},
"targetResources": [{
"id": "ef7e527d-6c92-4234-8c6d-cf6fdfb57f95",
"displayName": "Example.com",
"Type": "Group",
"modifiedProperties": [{
"displayName": "Action Client Name",
"oldValue": null,
"newValue": "DirectorySync"}],
"groupType": "unifiedGroups"
},
{
"id": "1f0e98f5-3161-4c6b-9b50-d488572f2bb7",
"displayName": null,
"Type": "User",
"modifiedProperties": [],
"userPrincipalName": "bob@contoso.com"
}],
"additionalDetails": [{
"key": "Additional Detail Name",
"value": "Additional Detail Value"
}]
}]
}
Feedback
Submit and view feedback for