Show / Hide Table of Contents

AuditLog.Read.All

Allows the app to read and query your audit log activities, on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A,D GET /auditLogs/directoryaudits
V1 A,D GET /auditLogs/directoryAudits
V1 A,D GET /auditLogs/directoryAudits/{id}
V1 A,D GET /auditLogs/provisioning
V1 A,D GET /auditLogs/signIns/{id}
V1 A,D GET /reports/authenticationMethods/userRegistrationDetails
V1 A,D GET /reports/authenticationMethods/userRegistrationDetails/{userId}
V1 D GET /reports/authenticationMethods/usersRegisteredByFeature
V1 D GET /reports/authenticationMethods/usersRegisteredByMethod
V1 A,D GET auditLogs/signIns

Delegate Permission

Id e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20
Consent Type Admin
Display String Read audit log data
Description Allows the app to read and query your audit log activities, on behalf of the signed-in user.

Application Permission

Id b0afded3-3588-46d8-8b3d-9842eff778da
Display String Read all audit log data
Description Allows the app to read and query your audit log activities, without a signed-in user.

Resources

directoryAudit

Property Type Description
activityDateTime DateTimeOffset Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
activityDisplayName String Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For full list, see Azure AD activity list.
additionalDetails keyValue collection Indicates additional details on the activity.
category String Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement.
correlationId Guid Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services.
id String Indicates the unique ID for the activity. This is a GUID.
initiatedBy auditActivityInitiator Indicates information about the user or app initiated the activity.
loggedByService String Indicates information on which service initiated the activity (For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management.
operationType String Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add, Assign, Update, Unassign, and Delete.
result operationResult Indicates the result of the activity. Possible values are: success, failure, timeout, unknownFutureValue.
resultReason String Indicates the reason for failure if the result is failure or timeout.
targetResources targetResource collection Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other.

provisioningObjectSummary

Property Type Description
activityDateTime DateTimeOffset The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
changeId String Unique ID of this change in this cycle.
cycleId String Unique ID per job iteration.
durationInMilliseconds Int32 Indicates how long this provisioning action took to finish. Measured in milliseconds.
id String Indicates the unique ID for the activity. This is a read-only GUID.
initiatedBy initiator Details of who initiated this provisioning.
jobId String The unique ID for the whole provisioning job.
modifiedProperties modifiedProperty collection Details of each property that was modified in this provisioning action on this object.
provisioningAction provisioningAction Indicates the activity name or the operation name. Possible values are: create, update, delete, stageddelete, disable, other and unknownFutureValue. For a list of activities logged, refer to Azure AD activity list.
provisioningStatusInfo provisioningStatusInfo Details of provisioning status.
provisioningSteps provisioningStep collection Details of each step in provisioning.
servicePrincipal servicePrincipal collection Represents the service principal used for provisioning.
sourceIdentity provisionedIdentity Details of source object being provisioned.
sourceSystem provisioningSystem Details of source system of the object being provisioned.
targetIdentity provisionedIdentity Details of target object being provisioned.
targetSystem provisioningSystem Details of target system of the object being provisioned.
tenantId String Unique Azure AD tenant ID.

signIn

Property Type Description
appDisplayName String App name displayed in the Azure Portal. Supports $filter (eq and startsWith operators only).
appId String Unique GUID representing the app ID in the Azure Active Directory. Supports $filter (eq operator only).
appliedConditionalAccessPolicies appliedConditionalAccessPolicy collection Provides a list of conditional access policies that are triggered by the corresponding sign-in activity.
clientAppUsed String Identifies the client used for the sign-in activity. Modern authentication clients include Browser and modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq operator only).
conditionalAccessStatus conditionalAccessStatus Reports status of an activated conditional access policy. Possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq operator only).
correlationId String The request ID sent from the client when the sign-in is initiated; used to troubleshoot sign-in activity. Supports $filter (eq operator only).
createdDateTime DateTimeOffset Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby and $filter (eq, le, and ge operators only).
deviceDetail deviceDetail Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq and startsWith operators only) on browser and operatingSytem properties.
id String Unique ID representing the sign-in activity. Supports $filter (eq operator only).
ipAddress String IP address of the client used to sign in. Supports $filter (eq and startsWith operators only).
isInteractive Boolean Indicates if a sign-in is interactive or not.
location signInLocation Provides the city, state, and country code where the sign-in originated. Supports $filter (eq and startsWith operators only) on city, state, and countryOrRegion properties.
resourceDisplayName String Name of the resource the user signed into. Supports $filter (eq operator only).
resourceId String ID of the resource that the user signed into. Supports $filter (eq operator only).
riskDetail riskDetail Provides the 'reason' behind a specific state of a risky user, sign-in or a risk event. The possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, unknownFutureValue. The value none means that no action has been performed on the user or sign-in so far. Supports $filter (eq operator only).
Note: Details for this property require an Azure AD Premium P2 license. Other licenses return the value hidden.
riskEventTypes riskEventType collection Risk event types associated with the sign-in. The possible values are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue. Supports $filter (eq operator only).
riskEventTypes_v2 String collection The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq and startsWith operators only).
riskLevelAggregated riskLevel Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only).
Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden.
riskLevelDuringSignIn riskLevel Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Supports $filter (eq operator only).
Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned hidden.
riskState riskState Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq operator only).
status signInStatus Sign-in status. Includes the error code and description of the error (in case of a sign-in failure). Supports $filter (eq operator only) on errorCode property.
userDisplayName String Display name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only).
userId String ID of the user that initiated the sign-in. Supports $filter (eq operator only).
userPrincipalName String User principal name of the user that initiated the sign-in. Supports $filter (eq and startsWith operators only).

userRegistrationDetails

Property Type Description
defaultMfaMethod defaultMfaMethodType The method the user or admin selected as default for performing multi-factor authentication for the user. The possible values are: none, mobilePhone, alternateMobilePhone, officePhone, microsoftAuthenticatorPush, softwareOneTimePasscode, unknownFutureValue.
id String User object identifier in Azure AD. Inherited from entity.
isAdmin Boolean Whether the user has an admin role in the tenant. This value can be used to check the authentication methods that privileged accounts are registered for and capable of.
isMfaCapable Boolean Whether the user has registered a strong authentication method for multi-factor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq).
isMfaRegistered Boolean Whether the user has registered a strong authentication method for multi-factor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq).
isPasswordlessCapable Boolean Whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq).
isSsprCapable Boolean Whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq).
isSsprEnabled Boolean Whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq).
isSsprRegistered Boolean Whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq).
methodsRegistered String collection Collection of authentication methods registered, such as mobilePhone, email, fido2. Supports $filter (any with eq).
userDisplayName String The user display name, such as Adele Vance. Supports $filter (eq, startsWith) and $orderBy.
userPrincipalName String The user principal name, such as [email protected]. Supports $filter (eq, startsWith) and $orderBy.
userType signInUserType Identifies whether the user is a member or guest in the tenant. The possible values are: member, guest, unknownFutureValue.

userRegistrationFeatureSummary

Property Type Description
totalUserCount Int64 Total number of users accounts, excluding those that are blocked
userRegistrationFeatureCounts userRegistrationFeatureCount collection Number of users registered or capable for Multi-Factor Authentication, Self-Service Password Reset and Passwordless Authentication.
userRoles includedUserRoles User role type. Possible values are: all, privilegedAdmin, admin, user.
userTypes includedUserTypes User type. Possible values are: all, member, guest.

userRegistrationMethodSummary

Property Type Description
totalUserCount Int64 Total number of users in the tenant.
userRegistrationMethodCounts userRegistrationMethodCount collection Number of users registered for each authentication method.
userRoles includedUserRoles User role type. Possible values are: all, privilegedAdmin, admin, user.
userTypes includedUserTypes User type. Possible values are: all, member, guest.
In This Article
Back to top Created by merill | Submit feedback