AuditLogsQuery-Entra.Read.All
Allows the app to read and query audit logs from Entra (Azure AD) workload, on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
AuditLogsQuery-Entra.Read.All
permission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReport
command. See How To: Run a quick OAuth app audit of your tenant
Category | Application | Delegated |
---|---|---|
Identifier | 7276d950-48fc-4269-8348-f22f2bb296d0 | 5ff2f415-e0f1-4d11-bfd0-6d87c0f667fd |
DisplayText | Read audit logs data from Entra (Azure AD) workload | Read audit logs data from Entra (Azure AD) workload |
Description | Allows the app to read and query audit logs from Entra (Azure AD) workload, without a signed-in user | Allows the app to read and query audit logs from Entra (Azure AD) workload, on behalf of the signed-in user. |
AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
Methods |
---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: auditLogQuery
Property | Type | Description |
---|---|---|
administrativeUnitIdFilters | String collection | The administrative units tagged to an audit log record. |
displayName | String | The display name of the saved audit log query. |
filterEndDateTime | DateTimeOffset | The end date of the date range in the query. |
filterStartDateTime | DateTimeOffset | The start date of the date range in the query. |
id | String | Unique identifier for the audit log query. Inherited from microsoft.graph.entity. |
ipAddressFilters | String collection | The IP address of the device that was used when the activity was logged. |
keywordFilter | String | Free text field to search non-indexed properties of the audit log. |
objectIdFilters | String collection | For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. |
operationFilters | String collection | The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. |
recordTypeFilters | microsoft.graph.security.auditLogRecordType collection | The type of operation indicated by the record. The possible values are: exchangeAdmin , exchangeItem , exchangeItemGroup , sharePoint , syntheticProbe , sharePointFileOperation , oneDrive , azureActiveDirectory , azureActiveDirectoryAccountLogon , dataCenterSecurityCmdlet , complianceDLPSharePoint , sway , complianceDLPExchange , sharePointSharingOperation , azureActiveDirectoryStsLogon , skypeForBusinessPSTNUsage , skypeForBusinessUsersBlocked , securityComplianceCenterEOPCmdlet , exchangeAggregatedOperation , powerBIAudit , crm , yammer , skypeForBusinessCmdlets , discovery , microsoftTeams , threatIntelligence , mailSubmission , microsoftFlow , aeD , microsoftStream , complianceDLPSharePointClassification , threatFinder , project , sharePointListOperation , sharePointCommentOperation , dataGovernance , kaizala , securityComplianceAlerts , threatIntelligenceUrl , securityComplianceInsights , mipLabel , workplaceAnalytics , powerAppsApp , powerAppsPlan , threatIntelligenceAtpContent , labelContentExplorer , teamsHealthcare , exchangeItemAggregated , hygieneEvent , dataInsightsRestApiAudit , informationBarrierPolicyApplication , sharePointListItemOperation , sharePointContentTypeOperation , sharePointFieldOperation , microsoftTeamsAdmin , hrSignal , microsoftTeamsDevice , microsoftTeamsAnalytics , informationWorkerProtection , campaign , dlpEndpoint , airInvestigation , quarantine , microsoftForms , applicationAudit , complianceSupervisionExchange , customerKeyServiceEncryption , officeNative , mipAutoLabelSharePointItem , mipAutoLabelSharePointPolicyLocation , microsoftTeamsShifts , secureScore , mipAutoLabelExchangeItem , cortanaBriefing , search , wdatpAlerts , powerPlatformAdminDlp , powerPlatformAdminEnvironment , mdatpAudit , sensitivityLabelPolicyMatch , sensitivityLabelAction , sensitivityLabeledFileAction , attackSim , airManualInvestigation , securityComplianceRBAC , userTraining , airAdminActionInvestigation , mstic , physicalBadgingSignal , teamsEasyApprovals , aipDiscover , aipSensitivityLabelAction , aipProtectionAction , aipFileDeleted , aipHeartBeat , mcasAlerts , onPremisesFileShareScannerDlp , onPremisesSharePointScannerDlp , exchangeSearch , sharePointSearch , privacyDataMinimization , labelAnalyticsAggregate , myAnalyticsSettings , securityComplianceUserChange , complianceDLPExchangeClassification , complianceDLPEndpoint , mipExactDataMatch , msdeResponseActions , msdeGeneralSettings , msdeIndicatorsSettings , ms365DCustomDetection , msdeRolesSettings , mapgAlerts , mapgPolicy , mapgRemediation , privacyRemediationAction , privacyDigestEmail , mipAutoLabelSimulationProgress , mipAutoLabelSimulationCompletion , mipAutoLabelProgressFeedback , dlpSensitiveInformationType , mipAutoLabelSimulationStatistics , largeContentMetadata , microsoft365Group , cdpMlInferencingResult , filteringMailMetadata , cdpClassificationMailItem , cdpClassificationDocument , officeScriptsRunAction , filteringPostMailDeliveryAction , cdpUnifiedFeedback , tenantAllowBlockList , consumptionResource , healthcareSignal , dlpImportResult , cdpCompliancePolicyExecution , multiStageDisposition , privacyDataMatch , filteringDocMetadata , filteringEmailFeatures , powerBIDlp , filteringUrlInfo , filteringAttachmentInfo , coreReportingSettings , complianceConnector , powerPlatformLockboxResourceAccessRequest , powerPlatformLockboxResourceCommand , cdpPredictiveCodingLabel , cdpCompliancePolicyUserFeedback , webpageActivityEndpoint , omePortal , cmImprovementActionChange , filteringUrlClick , mipLabelAnalyticsAuditRecord , filteringEntityEvent , filteringRuleHits , filteringMailSubmission , labelExplorer , microsoftManagedServicePlatform , powerPlatformServiceActivity , scorePlatformGenericAuditRecord , filteringTimeTravelDocMetadata , alert , alertStatus , alertIncident , incidentStatus , case , caseInvestigation , recordsManagement , privacyRemediation , dataShareOperation , cdpDlpSensitive , ehrConnector , filteringMailGradingResult , publicFolder , privacyTenantAuditHistoryRecord , aipScannerDiscoverEvent , eduDataLakeDownloadOperation , m365ComplianceConnector , microsoftGraphDataConnectOperation , microsoftPurview , filteringEmailContentFeatures , powerPagesSite , powerAppsResource , plannerPlan , plannerCopyPlan , plannerTask , plannerRoster , plannerPlanList , plannerTaskList , plannerTenantSettings , projectForTheWebProject , projectForTheWebTask , projectForTheWebRoadmap , projectForTheWebRoadmapItem , projectForTheWebProjectSettings , projectForTheWebRoadmapSettings , quarantineMetadata , microsoftTodoAudit , timeTravelFilteringDocMetadata , teamsQuarantineMetadata , sharePointAppPermissionOperation , microsoftTeamsSensitivityLabelAction , filteringTeamsMetadata , filteringTeamsUrlInfo , filteringTeamsPostDeliveryAction , mdcAssessments , mdcRegulatoryComplianceStandards , mdcRegulatoryComplianceControls , mdcRegulatoryComplianceAssessments , mdcSecurityConnectors , mdaDataSecuritySignal , vivaGoals , filteringRuntimeInfo , attackSimAdmin , microsoftGraphDataConnectConsent , filteringAtpDetonationInfo , privacyPortal , managedTenants , unifiedSimulationMatchedItem , unifiedSimulationSummary , updateQuarantineMetadata , ms365DSuppressionRule , purviewDataMapOperation , filteringUrlPostClickAction , irmUserDefinedDetectionSignal , teamsUpdates , plannerRosterSensitivityLabel , ms365DIncident , filteringDelistingMetadata , complianceDLPSharePointClassificationExtended , microsoftDefenderForIdentityAudit , supervisoryReviewDayXInsight , defenderExpertsforXDRAdmin , cdpEdgeBlockedMessage , hostedRpa , cdpContentExplorerAggregateRecord , cdpHygieneAttachmentInfo , cdpHygieneSummary , cdpPostMailDeliveryAction , cdpEmailFeatures , cdpHygieneUrlInfo , cdpUrlClick , cdpPackageManagerHygieneEvent , filteringDocScan , timeTravelFilteringDocScan , mapgOnboard , unknownFutureValue . |
serviceFilter | String | Refers to the workload property in the audit record. This is the Microsoft service where the activity occurred. Optional. |
status | microsoft.graph.security.auditLogQueryStatus | Describes the current status of the query. The possible values are: notStarted , running , succeeded , failed , cancelled , unknownFutureValue . |
userPrincipalNameFilters | String collection | The UPN (user principal name) of the user who performed the action (specified in the operation property) that resulted in the record being logged; for example, _m |