Microsoft Graph activity logs is now generally available
We’re excited to announce the general availability of Microsoft Graph activity logs! Microsoft Graph activity logs give you visibility into HTTP requests made to the Microsoft Graph service in your tenant. With rapidly growing security threats and an increasing number of attacks, this log data source allows you to perform security analysis, threat hunting, and monitor application activity in your tenant.
Some common use cases include:
- Identifying the activities that a compromised user account conducted in your tenant.
- Building detections and behavioral analysis to identify suspicious or anomalous use of Microsoft Graph APIs, such as an application enumerating all users, or making probing requests with many 403 errors.
- Investigating unexpected or unnecessarily privileged assignments of application permissions.
- Identifying problematic or unexpected behaviors for client applications, such as extreme call volumes that cause throttling for the tenant.
You’re currently able to collect sign-in logs to analyze authentication activity and audit logs to see changes to important resources. With Microsoft Graph activity logs, you can now investigate the complete picture of activity in your tenant – from token request in sign-in logs, to API request activity (reads, writes, and deletes) in Microsoft Graph activity logs, to ultimate resource changes in audit logs.
Figure 1: Microsoft Graph activity logs in Log Analytics.
We’re delighted to see many of you applying the Microsoft Graph activity logs (Preview) to awesome use cases. As we listened to your feedback on cost concerns, particularly for ingestion to Log Analytics, we’ve also enabled Log Transformation and Basic Log capabilities to help you scope your log ingestion to a smaller set if desired.
To illustrate working with these logs, we can look at some basic queries:
Summarize applications and principals that have made requests to change or delete groups in the past day:
|
MicrosoftGraphActivityLogs | where TimeGenerated > ago(1d) | where RequestUri contains '/group' | where RequestMethod != "GET" | summarize UriCount=dcount(RequestUri) by AppId, UserId, ServicePrincipalId, ResponseStatusCode |
See recent requests that failed due to authorization:
|
MicrosoftGraphActivityLogs | where TimeGenerated > ago(1h) | where ResponseStatusCode == 401 or ResponseStatusCode == 403 | project AppId, UserId, ServicePrincipalId, ResponseStatusCode, RequestUri, RequestMethod | limit 1000 |
Identify resources queried or modified by potentially risky users:
Note: This query leverages Risky User data from Entra ID Protection.
|
MicrosoftGraphActivityLogs | where TimeGenerated > ago(30d) | join AADRiskyUsers on $left.UserId == $right.Id | extend resourcePath = replace_string(replace_string(replace_regex(tostring(parse_url(RequestUri).Path), @'(\/)+','/'),'v1.0/',''),'beta/','') | summarize RequestCount=dcount(RequestId) by UserId, RiskState, resourcePath, RequestMethod, ResponseStatusCode |
Microsoft Graph activity logs are available through the Azure Monitor Logs integration of Microsoft Entra. Administrators of Microsoft Entra ID P1 or P2 tenants can configure the collection and storage destinations of Microsoft Graph activity logs through the diagnostic setting in the Entra portal. These settings allow you to configure the collection of the logs to a storage destination of your choice. The logs can be stored and queried in an Azure Log Analytics Workspace, archived in Azure Storage Accounts, or exported to other security information and event management (SIEM) tools through Azure Event Hubs. For logs collected in a Log Analytics Workspace, you can use the full set of Azure Monitor Logs features, such as a portal query experience, alerting, saved queries, and workbooks.
Find out how to enable Microsoft Graph activity logs, sample queries, and more in our documentation.
Kristopher Bash
Product Manager, Microsoft Graph
LinkedIn
Learn more about Microsoft Entra:
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID
- Join the conversation on the Microsoft Entra discussion space
- Learn more about Microsoft Security
Published on:
Learn moreRelated posts
Microsoft 365 & Power Platform Call (Microsoft Speakers) – July 7th, 2026 – Screenshot Summary
Call Highlights SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...
Change to taskbar pinning behavior for M365 Copilot and companion apps
Starting mid-July 2026, Microsoft 365 admin center taskbar pinning will only manage the Microsoft 365 Copilot app, excluding companion apps (F...
(Updated) InfoPath 2013 client and InfoPath Forms Services in SharePoint Online will reach end of support in July 2026
InfoPath 2013 client and InfoPath Forms Services in SharePoint Online will be retired by July 14, 2026. After May 18, 2026, publishing new or ...
Microsoft Copilot (Microsoft 365): Microsoft 365 admin center – Usage reports – Copilot Chat for GCC, GCC High and DoD
We will be introducing a new Usage report covering Copilot Chat. This report will include total active users, Copilot Chat usage with a breako...
Copilot Cowork and Dynamics 365 Customer Engagement: What It Means for Sales and Service Teams
Microsoft’s Copilot Cowork update matters because it moves AI closer to daily sales and service work inside Dynamics 365. Sellers, service man...
First look at the SharePoint API usage report
A quick look at the recently introduced SharePoint API usage report. While the report seems to complement the already available Graph API usag...
Copilot Studio: Build Agents With SharePoint List Knowledge
You can use Copilot Studio to build an agent that is grounded in SharePoint knowledge. ... The post Copilot Studio: Build Agents With SharePoi...
Viva Engage: New Recent feed in Home
Microsoft Viva Engage will add a new Recent feed in Home, showing chronological content from followed communities, people, and priority commun...
Discussion post previews coming to Viva Engage
Viva Engage will introduce discussion post previews by late August 2026, allowing users to review formatting and presentation before publishin...