How to analyze activity logs with Microsoft Graph
The Microsoft Entra reporting APIs provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools.
This article describes how to analyze Microsoft Entra activity logs with Microsoft Graph Explorer and Microsoft Graph PowerShell.
Prerequisites
- A working Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 license associated with it.
- To consent to the required permissions, you need the Privileged Role Administrator.
Access reports using Microsoft Graph Explorer
With all the prerequisites configured, you can run activity log queries in Microsoft Graph. The Microsoft Graph API isn't designed for pulling large amounts of activity data. Pulling large amounts of activity data using the API might lead to issues with pagination and performance. For more information on Microsoft Graph queries for activity logs, see Activity reports API overview.
Select your profile and then select Modify permissions.
Consent to the following required permissions:
AuditLog.Read.All
Directory.Read.All
Use one of the following queries to start using Microsoft Graph for accessing activity logs:
- GET
https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
- GET
https://graph.microsoft.com/v1.0/auditLogs/signIns
- GET
https://graph.microsoft.com/v1.0/auditLogs/provisioning
- GET
Fine-tune your queries
To search for specific activity log entries, use the $filter and createdDateTime query parameters with one of the available properties. Some of the following queries use the beta
endpoint. The beta endpoint is subject to change and isn't recommended for production use.
Try using the following queries:
For sign-in attempts where Conditional Access failed:
- GET
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=conditionalAccessStatus eq 'failure'
- GET
To find sign-ins to a specific application:
- GET
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and appId eq 'APP ID'
- GET
For non-interactive sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'nonInteractiveUser')
- GET
For service principal sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'servicePrincipal')
- GET
For managed identity sign-ins:
- GET
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=(createdDateTime ge 2024-01-13T14:13:32Z and createdDateTime le 2024-01-14T17:43:26Z) and signInEventTypes/any(t: t eq 'managedIdentity')
- GET
To get the authentication method of a user:
- GET
https://graph.microsoft.com/beta/users/{userObjectId}/authentication/methods
- Requires
UserAuthenticationMethod.Read.All
permission
- GET
To see the user registration details report:
- GET
https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails
- Requires
UserAuthenticationMethod.Read.All
permission
- GET
For the registration details of specific user:
- GET
https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails/{userId}
- Requires
UserAuthenticationMethod.Read.All
permission
- GET
Related APIs
Once you're familiar with the standard sign-in and audit logs, try exploring these other APIs:
Access reports using Microsoft Graph PowerShell
You can use PowerShell to access the Microsoft Entra reporting API. For more information, see Microsoft Graph PowerShell overview.
Microsoft Graph PowerShell cmdlets:
- Audit logs:
Get-MgAuditLogDirectoryAudit
- Sign-in logs:
Get-MgAuditLogSignIn
- Provisioning logs:
Get-MgAuditLogProvisioning
- Explore the full list of reporting-related Microsoft Graph PowerShell cmdlets.
Common errors
Error: Neither tenant is B2C or tenant doesn't have premium license: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.
Error: User isn't in the allowed roles: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the Security Reader or Reports Reader role in your Microsoft Entra tenant.
Error: Application missing Microsoft Entra ID 'Read directory data' or 'Read all audit log data' permission: The application must have either the AuditLog.Read.All
or Directory.Read.All
permission to access the activity logs with Microsoft Graph.