Introduction

As documented here, the Microsoft Graph Reporting API can be used to get the audit logs (https://graph.microsoft.com/beta/auditLogs/directoryAudits) and the sign-ins reports (https://graph.microsoft.com/beta/auditLogs/signIns). The old reports endpoint using Azure AD Graph is now deprecated

and attempting to use that legacy end point to get the auditEvents can result in the following error:

GET https://graph.windows.net/<tenant>.onmicrosoft.com/reports/auditEvents?api-version=beta

{

  “error”:{

    “code”:”Deprecated_ActivityReports”,”message”:”This API is deprecated as part of old azure classic portal, please use the API https://graph.windows.net/$tenantdomain/activities/. For more information refer the documentation https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-getting-started-azure-portal.. CorrelationID:10242ee6-2aa7-4173-826a-dc0fe898a87b timestamp:2019-04-12 13:00:05Z”

  }

}

Using the new end point…

Make sure you refer to the Reporting API prerequisite page for pre-requisites on accessing the Azure AD reporting API. For Application Permission token, make sure the application has AuditLog.Read.All Application permission and that  permission is given admin consent.

Note that the reporting API guidance at https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-reporting-api-getting-started.md is outdated. In this blog post, I’ll show how to modify the PowerShell script to use the new MS Reporting API to get the Audit logs for the last 2 days. The new endpoint we want to use is https://graph.microsoft.com/beta/auditLogs/directoryAudits. See documentation for more info on directoryAudits. Below is the entire PS script using reporting API.

NoteYou still need to follow the set up instruction at https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-reporting-api-getting-started.md to create an application registration and make sure to configure Microsoft Graph for API permission.  Replace the ClientID, ClientSecret, and tenantdomain with your information.

The above script can be easily modified to get the sign-ins report.  An Azure AD Premium P1 license is required to get the sign-ins data.  Please review Azure AD audit log API overview and Reporting API tutorial prerequisite for more detail.

Thanks for reading and drop us a comment if this content helps.

0 0 votes
Article Rating
Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Helen
Helen
January 8, 2021 10:52 am

I have a requirement to search the Directory Audit Logs for activity ‘Delete group settings’ within the past 15 days. I am using the following:

$url = ‘https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=activityDateTime ge ‘ + $16daysago + ‘ and activityDateTime lt ‘+ $Today

Once the search is complete I then filter for the activity.
This works when I search for 2-3 days worth of logs anything more than this powerhsell crashes.
I have tried to add an additional filter for ‘activityDisplayName’to the $url but this does not work.

Can you please advise on how best to achieve this

raj
raj
July 12, 2021 6:52 pm
Reply to  Helen

Most probably it will be OData – looking for paging and how to store results from pagging.