AuditLog.Read.All
Allows the app to read and query your audit log activities, on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
AuditLog.Read.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | b0afded3-3588-46d8-8b3d-9842eff778da | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 |
| DisplayText | Read all audit log data | Read audit log data |
| Description | Allows the app to read and query your audit log activities, without a signed-in user. | Allows the app to read and query your audit log activities, on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
AuditLog.Read.All and Directory.Read.All |
|
AuditLog.Read.All and Directory.Read.All |
|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
AuditLog.Read.All and Directory.Read.All |
|
AuditLog.Read.All and Directory.Read.All |
|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
AuditLog.Read.All and Directory.Read.All |
|
AuditLog.Read.All and Directory.Read.All |
|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
AuditLog.Read.All and Directory.Read.All |
|
AuditLog.Read.All and Directory.Read.All |
|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- appCredentialSignInActivity
- auditActivityType
- directoryAudit
- provisioningObjectSummary
- selfServiceSignUp
- servicePrincipalSignInActivity
- signIn
- signInEventsActivity
- signInEventsAppActivity
- summarizedSignIn
- userEventsSummary
- userMfaSignInSummary
- userPasswordResetsAndChangesSummary
- userRegistrationActivitySummary
- userRegistrationDetails
- userRegistrationFeatureSummary
- userRegistrationMethodSummary
- userSignInUsageByAuthMethodActivity
Graph reference: appCredentialSignInActivity
| Property | Type | Description |
|---|---|---|
| appId | String | The globally unique appId (also called client ID on the Microsoft Entra admin center) of the credentialed application. |
| appObjectId | String | The ID of the credential application instance. |
| createdDateTime | DateTimeOffset | The date and time when the credential was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| credentialOrigin | applicationKeyOrigin | The type the key credential originated from. Possible values are: application, servicePrincipal, unknownFutureValue. |
| expirationDateTime | DateTimeOffset | The date and time when the credential is set to expire. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The unique identifier of the appCredentialSignInActivity instance in the response. |
| keyId | String | The key ID of the credential. |
| keyType | applicationKeyType | Specifies the key type. The possible values are: clientSecret, certificate, unknownFutureValue. |
| keyUsage | applicationKeyUsage | Specifies what the key was used for. The possible values are: sign, verify, unknownFutureValue. |
| resourceId | String | The ID of the accessed resource. |
| servicePrincipalObjectId | String | The ID of the service principal. |
| signInActivity | signInActivity | The sign-in activity of the credential across all flows. |
Graph reference: auditActivityType
| Property | Type | Description |
|---|---|---|
| activity | String | Indicates the activity name or the operation name (for example "Create User", "Add member to group"). For a list of activities logged, refer to Microsoft Entra audit log categories and activities. Supports $filter (eq). |
| category | String | Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement. For a list of categories for activities logged, refer to Microsoft Entra audit log categories and activities. Supports $filter (eq). |
| id | String | The unique ID for the given audit activity type. |
| service | String | Indicates information on which service initiated the activity. For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management. Supports $filter (eq). |
Graph reference: directoryAudit
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, ge, le) and $orderby. |
| activityDisplayName | String | Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For a list of activities logged, refer to Microsoft Entra audit log categories and activities. Supports $filter (eq, startswith). |
| additionalDetails | keyValue collection | Indicates additional details on the activity. |
| category | String | Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement. For a list of categories for activities logged, refer to Microsoft Entra audit log categories and activities. |
| correlationId | Guid | Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services. Supports $filter (eq). |
| id | String | Indicates the unique ID for the activity. This is a GUID. Supports $filter (eq). |
| initiatedBy | auditActivityInitiator | Indicates information about the user or app initiated the activity. Supports $filter (eq) for user/id, user/displayName, user/userPrincipalName, app/appId, app/displayName; and $filter (startswith) for user/userPrincipalName. |
| loggedByService | String | Indicates information on which service initiated the activity (For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management. Supports $filter (eq). |
| operationType | String | Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add, Assign, Update, Unassign, and Delete. |
| result | operationResult | Indicates the result of the activity. Possible values are: success, failure, timeout, unknownFutureValue. |
| resultReason | String | Indicates the reason for failure if the result is failure or timeout. |
| targetResources | targetResource collection | Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other. Supports $filter (eq) for **i |
Graph reference: provisioningObjectSummary
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | Represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. SUpports $filter (eq, gt, lt) and orderby. |
| changeId | String | Unique ID of this change in this cycle. Supports $filter (eq, contains). |
| cycleId | String | Unique ID per job iteration. Supports $filter (eq, contains). |
| durationInMilliseconds | Int32 | Indicates how long this provisioning action took to finish. Measured in milliseconds. |
| id | String | Indicates the unique ID for the activity. Read-only. Supports $filter (eq, contains). |
| initiatedBy | initiator | Details of who initiated this provisioning. Supports $filter (eq, contains). |
| jobId | String | The unique ID for the whole provisioning job. Supports $filter (eq, contains). |
| modifiedProperties | modifiedProperty collection | Details of each property that was modified in this provisioning action on this object. |
| provisioningAction | provisioningAction | Indicates the activity name or the operation name. Possible values are: create, update, delete, stageddelete, disable, other and unknownFutureValue. For a list of activities logged, refer to Microsoft Entra activity list. Supports $filter (eq, contains). |
| provisioningStatusInfo | provisioningStatusInfo | Details of provisioning status. |
| provisioningSteps | provisioningStep collection | Details of each step in provisioning. |
| servicePrincipal | servicePrincipal collection | Represents the service principal used for provisioning. Supports $filter (eq) for id and name. |
| sourceIdentity | provisionedIdentity | Details of source object being provisioned. Supports $filter (eq, contains) for identityType, id, and displayName*. |
| sourceSystem | provisioningSystem | Details of source system of the object being provisioned. Supports $filter (eq, contains) for displayName. |
| targetIdentity | provisionedIdentity | Details of target object being provisioned. Supports $filter (eq, contains) for identityType, id, and displayName*. |
| targetSystem | provisioningSystem | Details of target system of the object being provisioned. Supports $filter (eq, contains) for displayName. |
| tenantId | String | Unique Microsoft Entra tenant ID. Supports $filter (eq, contains). |
Graph reference: selfServiceSignUp
| Property | Type | Description |
|---|---|---|
| appDisplayName | String | App name displayed in the Microsoft Entra admin center. Supports $filter (eq, startsWith). |
| appId | String | Unique GUID that represents the app ID in the Microsoft Entra ID. Supports $filter (eq). |
| appliedEventListeners | appliedAuthenticationEventListener collection | Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, which the corresponding events in the sign-up event triggered. |
| correlationId | String | The request ID sent from the client when the sign-up is initiated. Used to troubleshoot sign-up activity. Supports $filter (eq). |
| createdDateTime | DateTimeOffset | Date and time (UTC) the sign-up was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby, $filter (eq, le, and ge). |
| id | String | Unique ID representing the sign-up activity. Supports $filter (eq). Inherited from entity. |
| signUpIdentity | signUpIdentity | Unique identifier for self-service sign-up user. Supports $filter (eq) on the signUpIdentifierType. |
| signUpIdentityProvider | String | Describes the type of account for which the user registered. Values include Email OTP, Email Password, Google. |
| signUpStage | signUpStage | Describes the step in the sign-up flow. The possible values are: credentialCollection, credentialValidation, credentialFederation, consent, attributeCollectionAndValidation, userCreation, tenantConsent, unknownFutureValue. |
| status | signUpStatus | Sign-up status. Includes the error code and description of the error (if a sign-up failure or interrupt occurs). Supports $filter (eq) on errorCode property. |
| userId | String | The identifier of the user object created during the sign-up. |
Graph reference: servicePrincipalSignInActivity
| Property | Type | Description |
|---|---|---|
| appId | String | The globally unique appId (also called client ID on the Microsoft Entra admin center) of the credentialed resource application. |
| applicationAuthenticationClientSignInActivity | signInActivity | The sign-in activity of the application in a app-only authentication flow (app-to-app tokens) where the application acts like a client. |
| applicationAuthenticationResourceSignInActivity | signInActivity | The sign-in activity of the application in a app-only authentication flow (app-to-app tokens) where the application acts like a resource. |
| delegatedClientSignInActivity | signInActivity | The sign-in activity of the application in a delegated flow (user sign-in) where the application acts like a client. |
| delegatedResourceSignInActivity | signInActivity | The sign-in activity of the application in a delegated flow (user sign-in) where the application acts like a resource. |
| id | String | The unique ID for each service principal sign-in event. |
| lastSignInActivity | signInActivity | The most recent sign-in activity of the application across delegated or app-only flows where the application is used either as a client or resource. |
Graph reference: signIn
| Property | Type | Description |
|---|---|---|
| appDisplayName | String | App name displayed in the Microsoft Entra admin center. Supports $filter (eq, startsWith). |
| appId | String | Unique GUID that represents the app ID in the Microsoft Entra ID. Supports $filter (eq). |
| appliedConditionalAccessPolicies | appliedConditionalAccessPolicy collection | Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins. |
| clientAppUsed | String | Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq). |
| conditionalAccessStatus | conditionalAccessStatus | Reports status of an activated conditional access policy. Possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq). |
| correlationId | String | The request ID sent from the client when the sign-in is initiated. Used to troubleshoot sign-in activity. Supports $filter (eq). |
| createdDateTime | DateTimeOffset | Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby, $filter (eq, le, and ge). |
| deviceDetail | deviceDetail | Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq, startsWith) on browser and operatingSytem properties. |
| id | String | Unique ID representing the sign-in activity. Supports $filter (eq). |
| ipAddress | String | IP address of the client used to sign in. Supports $filter (eq, startsWith). |
| isInteractive | Boolean | Indicates whether a sign-in is interactive. |
| location | signInLocation | Provides the city, state, and country code where the sign-in originated. Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties. |
| resourceDisplayName | String | Name of the resource the user signed into. Supports $filter (eq). |
| resourceId | String | ID of the resource that the user signed into. Supports $filter (eq). |
| riskDetail | riskDetail | The reason behind a specific state of a risky user, sign-in, or a risk event. The possible values are none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe. Use the Prefer: include-unknown-enum-members request header to get the following value or values in this evolvable enum: adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe.The value none means that Microsoft Entra risk detection did not flag the user or the sign-in as a risky event so far. Supports $filter (eq).Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden. |
| riskEventTypes_v2 | String collection | The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq, startsWith). |
| riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden. |
| riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden. |
| riskState | riskState | Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq). |
| status | signInStatus | Sign-in status. Includes the error code and description of the error (if a sign-in failure occurs). Supports $filter (eq) on errorCode property. |
| userDisplayName | String | Display name of the user that initiated the sign-in. Supports $filter (eq, startsWith). |
| userId | String | ID of the user that initiated the sign-in. Supports $filter (eq). |
| userPrincipalName | String | User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain #EXT# before the domain part, this property stores the value in both lowercase and the "true" format. For example, while the user object stores AdeleVance_fabrikam.com#EXT#@contoso.com, the sign-in logs store [email protected].Supports $filter (eq, startsWith). |
Graph reference: signInEventsActivity
| Property | Type | Description |
|---|---|---|
| activityDateTime | DateTimeOffset | The aggregated day for which the summary applies to. This property always represents the entire day. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (gt, lt). |
| id | String | Identifier for the report. |
| signInCount | Int32 | The number of sign-in events that occurred for this day. Supports $filter (gt, lt, eq). |
Graph reference: signInEventsAppActivity
| Property | Type | Description |
|---|---|---|
| appId | String | The application ID for the given summary. Supports $filter (eq). |
| signInCount | Int32 | The total number of sign-in events for the given application. Supports $filter (gt). |
| tenantId | String | The tenant ID where sign-in events occurred. |
Graph reference: summarizedSignIn
| Property | Type | Description |
|---|---|---|
| agent | microsoft.graph.agentic.agentSignIn | Represents details about the agentic sign-in. Includes the type of agent as well as parent appId in some cases. Supports $filter (eq) for agentType. |
| aggregationDateTime | DateTimeOffset | The aggregated day for which the summary applies to. This property always represents the entire day. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| appDisplayName | String | The application name displayed in the Microsoft Entra admin center. Supports $filter (eq). |
| appId | String | The application identifier (client ID) in Microsoft Entra ID. Supports $filter (eq). |
| conditionalAccessStatus | conditionalAccessStatus | The status of the conditional access policy triggered. The possible values are: success, failure, notApplied, unknownFutureValue. Supports $filter (eq). |
| firstSignInDateTime | DateTimeOffset | The earliest sign-in event included in this summary. This property always represents the entire day. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The identifier representing the sign-in activity. Inherited from entity. Supports $filter (eq). |
| ipAddress | String | The IP address a user or autonomous agent used to reach a resource provider, used to determine Conditional Access compliance for some policies. For example, when a user interacts with Exchange Online, the IP address that Microsoft Exchange receives from the user can be recorded here. This value is often null. Supports $filter (eq, startswith). |
| managedServiceIdentity | managedIdentity | Contains information about the managed identity used for the sign in, including its type, associated Azure Resource Manager resource ID, and federated token information. Supports $filter (eq) for msiType. |
| resourceDisplayName | String | The name of the resource that the user signed in to. Supports $filter (eq). |
| resourceId | String | The application identifier of the resource application that the user signed in to. Supports $filter (eq). |
| servicePrincipalId | String | The application identifier of the specific service principal instance of the application identifier used for sign-in. This field is populated when you're signing in using an application and is different than the appId property. Supports $filter (eq). |
| servicePrincipalName | String | The application name used for sign-in. This field is populated when you're signing in using an application. Supports $filter (eq, startswith). |
| signInCount | Int64 | The total number of sign-in events included in the summary. |
| status | signInStatus | The sign-in status. Includes the error code and description of the error (for a sign-in failure). Supports $filter (eq) for errorCode. |
| tenantId | String | The tenant identifier of the user initiating the sign-in. Supports $filter (eq). |
| userPrincipalName | String | User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain #EXT# before the domain part, this property stores the value in both lowercase and the "true" format. For example, while the user object stores AdeleVance_fabrikam.com#EXT#@contoso.com, the sign-in logs store [email protected]. Supports $filter (eq). |
Graph reference: userEventsSummary
| Property | Type | Description |
|---|---|---|
| authMethod | usageAuthMethod | The authentication method being targeted in the event.The possible values are: email, mobileSMS, mobileCall, officePhone, securityQuestion, appNotification, appCode, alternateMobileCall, fido, appPassword, unknownFutureValue, externalAuthMethod, hardwareOneTimePasscode, windowsHelloForBusiness, microsoftAuthenticatorPasswordless, temporaryAccessPass, macOsSecureEnclaveKey, passKeyDeviceBound, passKeyDeviceBoundAuthenticator, passKeyDeviceBoundWindowsHello, softwareOneTimePasscode, microsoftAuthenticatorPush, mobilePhone, sms, alternateMobilePhone, fido2SecurityKey, oneTimePasscode, passKeySynced. Use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: externalAuthMethod , hardwareOneTimePasscode , windowsHelloForBusiness , microsoftAuthenticatorPasswordless , temporaryAccessPass , macOsSecureEnclaveKey , passKeyDeviceBound , passKeyDeviceBoundAuthenticator , passKeyDeviceBoundWindowsHello , softwareOneTimePasscode , microsoftAuthenticatorPush , mobilePhone , sms , alternateMobilePhone , fido2SecurityKey , oneTimePasscode , passKeySynced. |
| eventDateTime | DateTimeOffset | The date and time (UTC) when the event occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| failureReason | String | The specific reason why the event failed (if it was not successful.) |
| feature | featureType | The type of event that occurred. The possible values are: registration, reset, unknownFutureValue. |
| id | String | User object identifier in Microsoft Entra ID. Inherited from entity. |
| isSuccess | Boolean | Indicates whether the event was successful or not. |
| userDisplayName | String | The user display name, such as Adele Vance. Supports $filter (eq, startsWith) and $orderby. |
| userPrincipalName | String | The user principal name, such as [email protected]. Supports $filter (eq, startsWith) and $orderby. |
Graph reference: userMfaSignInSummary
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The date and time (UTC) for when the summary was aggregated for. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The id for the summary. |
| multiFactorSignIns | Int64 | The total number of MFA sign-ins for the given day. |
| singleFactorSignIns | Int64 | The total number of non-MFA sign ins for the given day. |
| totalSignIns | Int64 | The total number of sign-ins for the given day. |
Graph reference: userPasswordResetsAndChangesSummary
| Property | Type | Description |
|---|---|---|
| aggregatedDateTime | DateTimeOffset | The aggregated day for which the summary applies to. This property will always represent the entire day. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| changePasswordSelfServiceCount | Int64 | The number of self-service password changes that occurred during this window. |
| id | String | Identifier for the report. |
| passwordResetsByAdminCount | Int64 | The number of admin-triggered password resets that occurred during this window. |
| passwordResetsSelfServiceCount | Int64 | The number of self-service password resets that occurred during this window. |
Graph reference: userRegistrationActivitySummary
| Property | Type | Description |
|---|---|---|
| authMethod | usageAuthMethod | The authentication method for the given summary. The possible values are: email, mobileSMS, mobileCall, officePhone, securityQuestion, appNotification, appCode, alternateMobileCall, fido, appPassword, unknownFutureValue, externalAuthMethod, hardwareOneTimePasscode, windowsHelloForBusiness, microsoftAuthenticatorPasswordless, temporaryAccessPass, macOsSecureEnclaveKey, passKeyDeviceBound, passKeyDeviceBoundAuthenticator, passKeyDeviceBoundWindowsHello, softwareOneTimePasscode, microsoftAuthenticatorPush, mobilePhone, sms, alternateMobilePhone, fido2SecurityKey, oneTimePasscode, passKeySynced. Use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: externalAuthMethod , hardwareOneTimePasscode , windowsHelloForBusiness , microsoftAuthenticatorPasswordless , temporaryAccessPass , macOsSecureEnclaveKey , passKeyDeviceBound , passKeyDeviceBoundAuthenticator , passKeyDeviceBoundWindowsHello , softwareOneTimePasscode , microsoftAuthenticatorPush , mobilePhone , sms , alternateMobilePhone , fido2SecurityKey , oneTimePasscode , passKeySynced. Supports $filter (eq). |
| failureActivityCount | Int64 | The total number of failed activities for the corresponding authMethod and feature. Supports $filter (eq). |
| feature | featureType | The type of activity. The possible values are: registration, reset, unknownFutureValue. Supports $filter (eq). |
| id | String | The unique id for the given summary. Supports $filter (eq). |
| successfulActivityCount | Int64 | The total number of successful activities for the corresponding authMethod and feature. Supports $filter (gt, lt). |
Graph reference: userRegistrationDetails
| Property | Type | Description |
|---|---|---|
| id | String | User object identifier in Microsoft Entra ID. Inherited from entity. |
| isAdmin | Boolean | Indicates whether the user has an admin role in the tenant. This value can be used to check the authentication methods that privileged accounts are registered for and capable of. |
| isMfaCapable | Boolean | Indicates whether the user has registered a strong authentication method for multifactor authentication. The method must be allowed by the authentication methods policy. Supports $filter (eq). |
| isMfaRegistered | Boolean | Indicates whether the user has registered a strong authentication method for multifactor authentication. The method may not necessarily be allowed by the authentication methods policy. Supports $filter (eq). |
| isPasswordlessCapable | Boolean | Indicates whether the user has registered a passwordless strong authentication method (including FIDO2, Windows Hello for Business, and Microsoft Authenticator (Passwordless)) that is allowed by the authentication methods policy. Supports $filter (eq). |
| isSsprCapable | Boolean | Indicates whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. Supports $filter (eq). |
| isSsprEnabled | Boolean | Indicates whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. Supports $filter (eq). |
| isSsprRegistered | Boolean | Indicates whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. Supports $filter (eq). |
| isSystemPreferredAuthenticationMethodEnabled | Boolean | Indicates whether system preferred authentication method is enabled. If enabled, the system dynamically determines the most secure authentication method among the methods registered by the user. Supports $filter (eq). |
| lastUpdatedDateTime | DateTimeOffset | The date and time (UTC) when the report was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| methodsRegistered | String collection | Collection of authentication methods registered, such as mobilePhone, email, passKeyDeviceBound. Supports $filter (any with eq). |
| systemPreferredAuthenticationMethods | String collection | Collection of authentication methods that the system determined to be the most secure authentication methods among the registered methods for second factor authentication. Possible values are: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none, unknownFutureValue. Supports $filter (any with eq). |
| userDisplayName | String | The user display name, such as Adele Vance. Supports $filter (eq, startsWith) and $orderby. |
| userPreferredMethodForSecondaryAuthentication | userDefaultAuthenticationMethod | The method the user selected as the default second-factor for performing multifactor authentication. Possible values are: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none, unknownFutureValue. This property is used as preferred MFA method when isSystemPreferredAuthenticationMethodEnabled is false. Supports $filter (any with eq). |
| userPrincipalName | String | The user principal name, such as [email protected]. Supports $filter (eq, startsWith) and $orderby. |
| userType | signInUserType | Identifies whether the user is a member or guest in the tenant. The possible values are: member, guest, unknownFutureValue. |
Graph reference: userRegistrationFeatureSummary
| Property | Type | Description |
|---|---|---|
| totalUserCount | Int64 | Total number of users accounts, excluding those that are blocked. |
| userRegistrationFeatureCounts | userRegistrationFeatureCount collection | Number of users registered or capable for multi-factor authentication, self-service password reset, and passwordless authentication. |
| userRoles | includedUserRoles | The role type of the user. Possible values are: all, privilegedAdmin, admin, user, unknownFutureValue. |
| userTypes | includedUserTypes | User type. Possible values are: all, member, guest, unknownFutureValue. |
Graph reference: userRegistrationMethodSummary
| Property | Type | Description |
|---|---|---|
| totalUserCount | Int64 | Total number of users in the tenant. |
| userRegistrationMethodCounts | userRegistrationMethodCount collection | Number of users registered for each authentication method. |
| userRoles | includedUserRoles | The role type of the user. Possible values are: all, privilegedAdmin, admin, user, unknownFutureValue. |
| userTypes | includedUserTypes | User type. Possible values are: all, member, guest, unknownFutureValue. |
Graph reference: userSignInUsageByAuthMethodActivity
| Property | Type | Description |
|---|---|---|
| authenticationMethod | usageAuthMethod | The authentication method for the given summary. |
| successActivityCount | Int64 | The total number of successful sign in events for the given authentication method. |