Microsoft Graph Activity Log is Now Available in Public Preview
Hi friends,
Today we’re excited to announce the public preview of Microsoft Graph Activity Logs. Have you wondered what applications are doing with the access you've granted them? Have you discovered a compromised user and hoped to find out what operations they have performed? If so, you can now gain full visibility into all HTTP requests accessing your tenant’s resources through the Microsoft Graph API.
*Note: We're enabling the feature starting today. Public preview will be available in all regions within two weeks.
You’re currently able to collect SignIn logs to analyze authentication activity and Audit logs to see changes to important resources. With Microsoft Graph Activity Logs, you can now investigate the complete picture of activity in your tenant – from token request in SignIn logs, to API request activity (reads, writes, and deletes) in Microsoft Graph Activity Logs, to ultimate resource changes in Audit logs.
The Microsoft Graph Activity Logs include information about the request and client application. Some common use cases include:
- Identifying the activities that a compromised user account conducted in your tenant.
- Building detections and behavioral analysis to identify suspicious or anomalous use of Microsoft Graph APIs – such as an application enumerating all users; or making probing requests with many 403 errors.
- Investigating unexpected or unnecessarily privileged assignments of application permissions.
- Identifying problematic or unexpected behaviors for client applications – such as extreme call volumes that exhaust rate-limits for the tenant.
To illustrate working with these logs, we can look at some basic LogAnalytics queries:
Summarize applications and principals that have made requests to change or delete groups in the past day:
MicrosoftGraphActivityLogs | where TimeGenerated > ago(1d) | where RequestUri contains '/group' | where RequestMethod != "GET" | summarize UriCount=dcount(RequestUri) by AppId, UserId, ServicePrincipalId, ResponseStatusCode |
To see recent requests that failed due to authorization:
MicrosoftGraphActivityLogs | where TimeGenerated > ago(1h) | where ResponseStatusCode == 401 or ResponseStatusCode == 403 | project AppId, UserId, ServicePrincipalId, ResponseStatusCode, RequestUri, RequestMethod | limit 1000 |
Get top 20 app instances by request count:
MicrosoftGraphActivityLogs | where TimeGenerated > ago(1d) | summarize RequestCount=count() by AppId, IpAddress, UserAgent | sort by RequestCount | limit 20 |
Microsoft Graph Activity Logs are available through the Azure Monitor Logs integration of Entra. Administrators can configure the collection and storage destinations of Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal. These settings allow you to configure the collection of the logs to a storage destination of your choice. The logs can be stored and queried in an Azure Log Analytics Workspace, archived in Azure Storage Accounts, or exported to other SIEM tools through Azure Event Hubs.
For logs collected to a Log Analytics Workspace, you can use the full set of Azure Monitor Logs features, such as a portal query experience, alerting, saved queries, and workbooks.
Find out about how to enable Microsoft Graph Activity Logs, sample queries, estimated costs, and more in our documentation.
Learn more about Microsoft Entra:
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security
Published on:
Learn moreRelated posts
Microsoft Graph Doesn’t Support Custom Attributes for Groups
Container management labels are an effective way to ensure that groups, teams, and sites have the right settings. The Graph doesn't support cu...
Put your M365 migration in full throttle: 3 biggest takeaways
Get expert tips to accelerate your migrations and learn about ShareGate’s new and upcoming feature releases in our recap from our recen...
Microsoft Teams: Quality of Experience Report v5.0 for Microsoft Power BI
Microsoft has released the Quality of Experience Report v5.0 for Microsoft Teams Call Quality Dashboard in Power BI. The report features new i...
Microsoft Teams: New policy for voice and face enrollment will default to “On” (configure now)
Microsoft Teams is introducing a policy, csTeamsAIPolicy, that enables voice and face enrollment by default, enhancing meeting features and re...
Viva Engage – Page header enhancements
Viva Engage has recently been updated with page header enhancements that provide a more efficient and streamlined experience for users. The he...
Microsoft Teams: Shifts Graph APIs in beta moved to production (v1.0)
The Shifts Graph APIs have officially moved from beta to production, thanks to Microsoft Teams. This exciting transition ensures that develope...
Microsoft Copilot (Microsoft 365): BizChat – Copilot agents available in Business Chat web mode
Microsoft Copilot, a feature of Microsoft 365 and part of Business Chat web mode, offers Copilot agents that can be used by your organization....
Microsoft Teams: Archived Teams’ schedules no longer visible
Microsoft Teams has made a recent improvement to the schedule view by hiding the schedules of archived teams. This change helps to reduce clut...
Microsoft Teams: Improved reporting – Additional report fields in the Time Clock export
Microsoft Teams has announced that it has expanded the functionality of the time clock export report by adding additional fields from Shifts. ...
Microsoft Teams: Admin Center – Admins can disable ability to send messages in meeting chat before and after the meeting
Microsoft Teams Admin Center has introduced enhancements to the existing 'Meeting Chat' control. This control is now equipped with two new opt...