List directoryAudits

Namespace: microsoft.graph

Get the list of audit logs generated by Azure Active Directory (Azure AD). This includes audit logs generated by various services within Azure AD, including user, app, device and group Management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (self-service and admin password resets), and self- service group management, and so on.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) AuditLog.Read.All and Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application AuditLog.Read.All and Directory.Read.All

HTTP request

GET /auditLogs/directoryaudits

Optional query parameters

This method supports the following OData query parameters to help customize the response. For details about how to use these parameters, see OData query parameters.

Parameter Description Example
$filter Filters results (rows). /auditLogs/directoryAudits?&$filter=activityDateTime le 2018-01-24
$top Sets the page size of results. /auditLogs/directoryAudits?$top=1
$skiptoken Retrieves the next page of results from result sets that span multiple pages. /auditLogs/directoryAudits?$skiptoken=01fa0e77c60c2d3d63226c8e3294c860__1

Attributes supported by $filter parameter

Attribute Supported operators
activityDisplayName eq, startswith
activityDateTime eq, ge, le
loggedByService eq
initiatedBy/user/id eq
initiatedBy/user/displayName eq
initiatedBy/user/userPrincipalName eq, startswith
initiatedBy/app/appId eq
initiatedBy/app/displayName eq
targetResources/any(t: t/id eq '{value}') eq
targetResources/any(t:t/displayName eq '{value}') eq
targetResources/any(x: startswith(x/displayName, '{value}')) startswith

Request headers

Name Description
Authorization Bearer {code}

Request body

Do not supply a request body for this method.


If successful, this method returns a 200 OK response code and a collection of directoryAudit objects in the response body.



The following is an example of the request.



The following is an example of the response.

Note: The response object shown here might be shortened for readability.

Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.

HTTP/1.1 200 OK
Content-type: application/json

  "@odata.context": "$metadata#auditlogs/directoryaudits",
  "value": [{
        "id": "id",
        "category": "UserManagement",
        "correlationId": "da159bfb-54fa-4092-8a38-6e1fa7870e30",
        "result": "success",
        "resultReason": "Successfully added member to group",
        "activityDisplayName": "Add member to group",
        "activityDateTime": "2018-01-09T21:20:02.7215374Z",
        "loggedByService": "Core Directory",
        "initiatedBy": {
            "user": {
                "id": "728309ae-1a37-4937-9afe-e35d964db09b",
                "displayName": "Audry Oliver",
                "userPrincipalName": "",
                "ipAddress": ""
            "app": null
        "targetResources": [{
            "id": "ef7e527d-6c92-4234-8c6d-cf6fdfb57f95",
            "displayName": "",
            "Type": "Group",
            "modifiedProperties": [{
                "displayName": "Action Client Name",
                "oldValue": null,
                "newValue": "DirectorySync"}],
            "groupType": "unifiedGroups"
            "id": "1f0e98f5-3161-4c6b-9b50-d488572f2bb7",
            "displayName": null,
            "Type": "User",
            "modifiedProperties": [],
            "userPrincipalName": ""
        "additionalDetails": [{
            "key": "Additional Detail Name",
            "value": "Additional Detail Value"