AuditLog.Read.All
Allows the app to read and query your audit log activities, on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
| Id | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 |
| Consent Type | Admin |
| Display String | Read audit log data |
| Description | Allows the app to read and query your audit log activities, on behalf of the signed-in user. |
Application Permission
| Id | b0afded3-3588-46d8-8b3d-9842eff778da |
| Display String | Read all audit log data |
| Description | Allows the app to read and query your audit log activities, without a signed-in user. |
Resources
directoryAudit
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| activityDisplayName | String | Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For full list, see Azure AD activity list. |
| additionalDetails | keyValue collection | Indicates additional details on the activity. |
| category | String | Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement. |
| correlationId | Guid | Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services. |
| id | String | Indicates the unique ID for the activity. This is a GUID. |
| initiatedBy | auditActivityInitiator | Indicates information about the user or app initiated the activity. |
| loggedByService | String | Indicates information on which service initiated the activity (For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management. |
| operationType | String | Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add, Assign, Update, Unassign, and Delete. |
| result | operationResult | Indicates the result of the activity. Possible values are: success, failure, timeout, unknownFutureValue. |
| resultReason | String | Indicates the reason for failure if the result is failure or timeout. |
| targetResources | targetResource collection | Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other. |
provisioningObjectSummary
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| changeId | String | Unique ID of this change in this cycle. |
| cycleId | String | Unique ID per job iteration. |
| durationInMilliseconds | Int32 | Indicates how long this provisioning action took to finish. Measured in milliseconds. |
| id | String | Indicates the unique ID for the activity. This is a read-only GUID. |
| initiatedBy | initiator | Details of who initiated this provisioning. |
| jobId | String | The unique ID for the whole provisioning job. |
| modifiedProperties | modifiedProperty collection | Details of each property that was modified in this provisioning action on this object. |
| provisioningAction | provisioningAction | Indicates the activity name or the operation name. Possible values are: create, update, delete, stageddelete, disable, other and unknownFutureValue. For a list of activities logged, refer to Azure AD activity list. |
| provisioningStatusInfo | provisioningStatusInfo | Details of provisioning status. |
| provisioningSteps | provisioningStep collection | Details of each step in provisioning. |
| servicePrincipal | servicePrincipal collection | Represents the service principal used for provisioning. |
| sourceIdentity | provisionedIdentity | Details of source object being provisioned. |
| sourceSystem | provisioningSystem | Details of source system of the object being provisioned. |
| targetIdentity | provisionedIdentity | Details of target object being provisioned. |
| targetSystem | provisioningSystem | Details of target system of the object being provisioned. |
| tenantId | String | Unique Azure AD tenant ID. |
signIn
| Property | Type | Description |
|---|---|---|
| appDisplayName | String | App name displayed in the Azure Portal. Supports $filter (eq and startsWith operators only). |
| appId | String | Unique GUID representing the app ID in the Azure Active Directory. Supports $filter (eq operator only). |
| appliedConditionalAccessPolicies | appliedConditionalAccessPolicy collection | Provides a list of conditional access policies that are triggered by the corresponding sign-in activity. |
| clientAppUsed | String | Identifies the client used for the sign-in activity. Modern authentication clients include Browser and modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq operator only). |
| conditionalAccessStatus | conditionalAccessStatus | Reports status of an activated conditional access policy. Possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq operator only). |
| correlationId | String | The request ID sent from the client when the sign-in is initiated; used to troubleshoot sign-in activity. Supports $filter (eq operator only). |
| createdDateTime | DateTimeOffset | Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby and $filter (eq, le, and ge operators only). |
| deviceDetail | deviceDetail | Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq and startsWith operators only) on browser and operatingSytem properties. |
| id | String | Unique ID representing the sign-in activity. Supports $filter (eq operator only). |
| ipAddress | String | IP address of the client used to sign in. Supports $filter (eq and startsWith operators only). |
| isInteractive | Boolean | Indicates if a sign-in is interactive or not. |
| location | signInLocation | Provides the city, state, and country code where the sign-in originated. Supports $filter (eq and startsWith operators only) on city, state, and countryOrRegion properties. |
| resourceDisplayName | String | Name of the resource the user signed into. Supports $filter (eq operator only). |
| resourceId | String | ID of the resource that the user signed into. Supports $filter (eq operator only). |
| riskDetail | riskDetail | Provides the 'reason' behind a specific state of a risky user, sign-in or a risk event. The possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, unknownFutureValue. The value none means that no action has been performed on the user or sign-in so far. Supports $filter (eq operator only).Note: Details for this property require an Azure AD Premium P2 license. Other licenses return the value hidden. |
| riskEventTypes | riskEventType collection | Risk event types associated with the sign-in. The possible values are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue. Supports $filter (eq operator only). |
| riskEventTypes_v2 | String collection | The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq and startsWith operators only). |
| riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only). Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden. |
| riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only). Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden. |
| riskState | riskState | Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq operator only). |
| status | signInStatus | Sign-in status. Includes the error code and description of the error (in case of a sign-in failure). Supports $filter (eq operator only) on errorCode property. |
| userDisplayName | String | Display name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only). |
| userId | String | ID of the user that initiated the sign-in. Supports $filter (eq operator only). |
| userPrincipalName | String | User principal name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only). |
userRegistrationDetails
| Property | Type | Description |
|---|---|---|
| defaultMfaMethod | defaultMfaMethodType | The method the user or admin selected as default for performing multi-factor authentication for the user. The possible values are: none, mobilePhone, alternateMobilePhone, officePhone, microsoftAuthenticatorPush, softwareOneTimePasscode, unknownFutureValue. |
| id | String | User object identifier in Azure AD. Inherited from entity. |
| isAdmin | Boolean | Whether the user has an admin role in the tenant. This value can be used to check the authentication methods that privileged accounts are registered for and capable of. |
| isMfaCapable | Boolean | Whether the user has registered a strong authentication method for multi-factor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq). |
| isMfaRegistered | Boolean | Whether the user has registered a strong authentication method for multi-factor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq). |
| isPasswordlessCapable | Boolean | Whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq). |
| isSsprCapable | Boolean | Whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq). |
| isSsprEnabled | Boolean | Whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq). |
| isSsprRegistered | Boolean | Whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq). |
| methodsRegistered | String collection | Collection of authentication methods registered, such as mobilePhone, email, fido2. Supports $filter (any with eq). |
| userDisplayName | String | The user display name, such as Adele Vance. Supports $filter (eq, startsWith) and $orderBy. |
| userPrincipalName | String | The user principal name, such as [email protected]. Supports $filter (eq, startsWith) and $orderBy. |
| userType | signInUserType | Identifies whether the user is a member or guest in the tenant. The possible values are: member, guest, unknownFutureValue. |
userRegistrationFeatureSummary
| Property | Type | Description |
|---|---|---|
| totalUserCount | Int64 | Total number of users accounts, excluding those that are blocked |
| userRegistrationFeatureCounts | userRegistrationFeatureCount collection | Number of users registered or capable for Multi-Factor Authentication, Self-Service Password Reset and Passwordless Authentication. |
| userRoles | includedUserRoles | User role type. Possible values are: all, privilegedAdmin, admin, user. |
| userTypes | includedUserTypes | User type. Possible values are: all, member, guest. |
userRegistrationMethodSummary
| Property | Type | Description |
|---|---|---|
| totalUserCount | Int64 | Total number of users in the tenant. |
| userRegistrationMethodCounts | userRegistrationMethodCount collection | Number of users registered for each authentication method. |
| userRoles | includedUserRoles | User role type. Possible values are: all, privilegedAdmin, admin, user. |
| userTypes | includedUserTypes | User type. Possible values are: all, member, guest. |