AuditLog.Read.All
Allows the app to read and query your audit log activities, on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
Id | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 |
Consent Type | Admin |
Display String | Read audit log data |
Description | Allows the app to read and query your audit log activities, on behalf of the signed-in user. |
Application Permission
Id | b0afded3-3588-46d8-8b3d-9842eff778da |
Display String | Read all audit log data |
Description | Allows the app to read and query your audit log activities, without a signed-in user. |
Resources
directoryAudit
Property | Type | Description |
---|---|---|
activityDateTime | DateTimeOffset | Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
activityDisplayName | String | Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For full list, see Azure AD activity list. |
additionalDetails | keyValue collection | Indicates additional details on the activity. |
category | String | Indicates which resource category that's targeted by the activity. For example: UserManagement , GroupManagement , ApplicationManagement , RoleManagement . |
correlationId | Guid | Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services. |
id | String | Indicates the unique ID for the activity. This is a GUID. |
initiatedBy | auditActivityInitiator | Indicates information about the user or app initiated the activity. |
loggedByService | String | Indicates information on which service initiated the activity (For example: Self-service Password Management , Core Directory , B2C , Invited Users , Microsoft Identity Manager , Privileged Identity Management . |
operationType | String | Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add , Assign , Update , Unassign , and Delete . |
result | operationResult | Indicates the result of the activity. Possible values are: success , failure , timeout , unknownFutureValue . |
resultReason | String | Indicates the reason for failure if the result is failure or timeout . |
targetResources | targetResource collection | Indicates information on which resource was changed due to the activity. Target Resource Type can be User , Device , Directory , App , Role , Group , Policy or Other . |
provisioningObjectSummary
Property | Type | Description |
---|---|---|
activityDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
changeId | String | Unique ID of this change in this cycle. |
cycleId | String | Unique ID per job iteration. |
durationInMilliseconds | Int32 | Indicates how long this provisioning action took to finish. Measured in milliseconds. |
id | String | Indicates the unique ID for the activity. This is a read-only GUID. |
initiatedBy | initiator | Details of who initiated this provisioning. |
jobId | String | The unique ID for the whole provisioning job. |
modifiedProperties | modifiedProperty collection | Details of each property that was modified in this provisioning action on this object. |
provisioningAction | provisioningAction | Indicates the activity name or the operation name. Possible values are: create , update , delete , stageddelete , disable , other and unknownFutureValue . For a list of activities logged, refer to Azure AD activity list. |
provisioningStatusInfo | provisioningStatusInfo | Details of provisioning status. |
provisioningSteps | provisioningStep collection | Details of each step in provisioning. |
servicePrincipal | servicePrincipal collection | Represents the service principal used for provisioning. |
sourceIdentity | provisionedIdentity | Details of source object being provisioned. |
sourceSystem | provisioningSystem | Details of source system of the object being provisioned. |
targetIdentity | provisionedIdentity | Details of target object being provisioned. |
targetSystem | provisioningSystem | Details of target system of the object being provisioned. |
tenantId | String | Unique Azure AD tenant ID. |
signIn
Property | Type | Description |
---|---|---|
appDisplayName | String | App name displayed in the Azure Portal. Supports $filter (eq and startsWith operators only). |
appId | String | Unique GUID representing the app ID in the Azure Active Directory. Supports $filter (eq operator only). |
appliedConditionalAccessPolicies | appliedConditionalAccessPolicy collection | Provides a list of conditional access policies that are triggered by the corresponding sign-in activity. |
clientAppUsed | String | Identifies the client used for the sign-in activity. Modern authentication clients include Browser and modern clients . Legacy authentication clients include Exchange ActiveSync , IMAP , MAPI , SMTP , POP , and other clients . Supports $filter (eq operator only). |
conditionalAccessStatus | conditionalAccessStatus | Reports status of an activated conditional access policy. Possible values are: success , failure , notApplied , and unknownFutureValue . Supports $filter (eq operator only). |
correlationId | String | The request ID sent from the client when the sign-in is initiated; used to troubleshoot sign-in activity. Supports $filter (eq operator only). |
createdDateTime | DateTimeOffset | Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z . Supports $orderby and $filter (eq , le , and ge operators only). |
deviceDetail | deviceDetail | Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq and startsWith operators only) on browser and operatingSytem properties. |
id | String | Unique ID representing the sign-in activity. Supports $filter (eq operator only). |
ipAddress | String | IP address of the client used to sign in. Supports $filter (eq and startsWith operators only). |
isInteractive | Boolean | Indicates if a sign-in is interactive or not. |
location | signInLocation | Provides the city, state, and country code where the sign-in originated. Supports $filter (eq and startsWith operators only) on city, state, and countryOrRegion properties. |
resourceDisplayName | String | Name of the resource the user signed into. Supports $filter (eq operator only). |
resourceId | String | ID of the resource that the user signed into. Supports $filter (eq operator only). |
riskDetail | riskDetail | Provides the 'reason' behind a specific state of a risky user, sign-in or a risk event. The possible values are: none , adminGeneratedTemporaryPassword , userPerformedSecuredPasswordChange , userPerformedSecuredPasswordReset , adminConfirmedSigninSafe , aiConfirmedSigninSafe , userPassedMFADrivenByRiskBasedPolicy , adminDismissedAllRiskForUser , adminConfirmedSigninCompromised , unknownFutureValue . The value none means that no action has been performed on the user or sign-in so far. Supports $filter (eq operator only).Note: Details for this property require an Azure AD Premium P2 license. Other licenses return the value hidden . |
riskEventTypes | riskEventType collection | Risk event types associated with the sign-in. The possible values are: unlikelyTravel , anonymizedIPAddress , maliciousIPAddress , unfamiliarFeatures , malwareInfectedIPAddress , suspiciousIPAddress , leakedCredentials , investigationsThreatIntelligence , generic , and unknownFutureValue . Supports $filter (eq operator only). |
riskEventTypes_v2 | String collection | The list of risk event types associated with the sign-in. Possible values: unlikelyTravel , anonymizedIPAddress , maliciousIPAddress , unfamiliarFeatures , malwareInfectedIPAddress , suspiciousIPAddress , leakedCredentials , investigationsThreatIntelligence , generic , or unknownFutureValue . Supports $filter (eq and startsWith operators only). |
riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: none , low , medium , high , hidden , and unknownFutureValue . The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only). Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden . |
riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: none , low , medium , high , hidden , and unknownFutureValue . The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only). Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden . |
riskState | riskState | Reports status of the risky user, sign-in, or a risk event. The possible values are: none , confirmedSafe , remediated , dismissed , atRisk , confirmedCompromised , unknownFutureValue . Supports $filter (eq operator only). |
status | signInStatus | Sign-in status. Includes the error code and description of the error (in case of a sign-in failure). Supports $filter (eq operator only) on errorCode property. |
userDisplayName | String | Display name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only). |
userId | String | ID of the user that initiated the sign-in. Supports $filter (eq operator only). |
userPrincipalName | String | User principal name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only). |
userRegistrationDetails
Property | Type | Description |
---|---|---|
defaultMfaMethod | defaultMfaMethodType | The method the user or admin selected as default for performing multi-factor authentication for the user. The possible values are: none , mobilePhone , alternateMobilePhone , officePhone , microsoftAuthenticatorPush , softwareOneTimePasscode , unknownFutureValue . |
id | String | User object identifier in Azure AD. Inherited from entity. |
isAdmin | Boolean | Whether the user has an admin role in the tenant. This value can be used to check the authentication methods that privileged accounts are registered for and capable of. |
isMfaCapable | Boolean | Whether the user has registered a strong authentication method for multi-factor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq ). |
isMfaRegistered | Boolean | Whether the user has registered a strong authentication method for multi-factor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq ). |
isPasswordlessCapable | Boolean | Whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq ). |
isSsprCapable | Boolean | Whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq ). |
isSsprEnabled | Boolean | Whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq ). |
isSsprRegistered | Boolean | Whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq ). |
methodsRegistered | String collection | Collection of authentication methods registered, such as mobilePhone , email , fido2 . Supports $filter (any with eq ). |
userDisplayName | String | The user display name, such as Adele Vance . Supports $filter (eq , startsWith ) and $orderBy . |
userPrincipalName | String | The user principal name, such as [email protected] . Supports $filter (eq , startsWith ) and $orderBy . |
userType | signInUserType | Identifies whether the user is a member or guest in the tenant. The possible values are: member , guest , unknownFutureValue . |
userRegistrationFeatureSummary
Property | Type | Description |
---|---|---|
totalUserCount | Int64 | Total number of users accounts, excluding those that are blocked |
userRegistrationFeatureCounts | userRegistrationFeatureCount collection | Number of users registered or capable for Multi-Factor Authentication, Self-Service Password Reset and Passwordless Authentication. |
userRoles | includedUserRoles | User role type. Possible values are: all , privilegedAdmin , admin , user . |
userTypes | includedUserTypes | User type. Possible values are: all , member , guest . |
userRegistrationMethodSummary
Property | Type | Description |
---|---|---|
totalUserCount | Int64 | Total number of users in the tenant. |
userRegistrationMethodCounts | userRegistrationMethodCount collection | Number of users registered for each authentication method. |
userRoles | includedUserRoles | User role type. Possible values are: all , privilegedAdmin , admin , user . |
userTypes | includedUserTypes | User type. Possible values are: all , member , guest . |