Microsoft Graph activity logs is now generally available

Microsoft Graph activity logs is now generally available

We’re excited to announce the general availability of Microsoft Graph activity logs! Microsoft Graph activity logs give you visibility into HTTP requests made to the Microsoft Graph service in your tenant. With rapidly growing security threats and an increasing number of attacks, this log data source allows you to perform security analysis, threat hunting, and monitor application activity in your tenant.  


Some common use cases include: 


  • Identifying the activities that a compromised user account conducted in your tenant. 
  • Building detections and behavioral analysis to identify suspicious or anomalous use of Microsoft Graph APIs, such as an application enumerating all users, or making probing requests with many 403 errors. 
  • Investigating unexpected or unnecessarily privileged assignments of application permissions. 
  • Identifying problematic or unexpected behaviors for client applications, such as extreme call volumes that cause throttling for the tenant. 


You’re currently able to collect sign-in logs to analyze authentication activity and audit logs to see changes to important resources. With Microsoft Graph activity logs, you can now investigate the complete picture of activity in your tenant – from token request in sign-in logs, to API request activity (reads, writes, and deletes) in Microsoft Graph activity logs, to ultimate resource changes in audit logs.


Figure 1: Microsoft Graph activity logs in Log Analytics.Figure 1: Microsoft Graph activity logs in Log Analytics.



We’re delighted to see many of you applying the Microsoft Graph activity logs (Preview) to awesome use cases. As we listened to your feedback on cost concerns, particularly for ingestion to Log Analytics, we’ve also enabled Log Transformation and Basic Log capabilities to help you scope your log ingestion to a smaller set if desired.


To illustrate working with these logs, we can look at some basic queries: 
Summarize applications and principals that have made requests to change or delete groups in the past day:



| where TimeGenerated > ago(1d) 

| where RequestUri contains '/group' 

| where RequestMethod != "GET" 

| summarize UriCount=dcount(RequestUri) by AppId, UserId, ServicePrincipalId, ResponseStatusCode 


See recent requests that failed due to authorization:



| where TimeGenerated > ago(1h) 

| where ResponseStatusCode == 401 or ResponseStatusCode == 403 

| project AppId, UserId, ServicePrincipalId, ResponseStatusCode, RequestUri, RequestMethod 

| limit 1000 


Identify resources queried or modified by potentially risky users:

Note: This query leverages Risky User data from Entra ID Protection.



| where TimeGenerated > ago(30d) 

| join AADRiskyUsers on $left.UserId == $right.Id 

| extend resourcePath = replace_string(replace_string(replace_regex(tostring(parse_url(RequestUri).Path), @'(\/)+','/'),'v1.0/',''),'beta/','') 

| summarize RequestCount=dcount(RequestId) by UserId, RiskState, resourcePath,

RequestMethod, ResponseStatusCode 


Microsoft Graph activity logs are available through the Azure Monitor Logs integration of Microsoft Entra. Administrators of Microsoft Entra ID P1 or P2 tenants can configure the collection and storage destinations of Microsoft Graph activity logs through the diagnostic setting in the Entra portal. These settings allow you to configure the collection of the logs to a storage destination of your choice. The logs can be stored and queried in an Azure Log Analytics Workspace, archived in Azure Storage Accounts, or exported to other security information and event management (SIEM) tools through Azure Event Hubs. For logs collected in a Log Analytics Workspace, you can use the full set of Azure Monitor Logs features, such as a portal query experience, alerting, saved queries, and workbooks.   


Find out how to enable Microsoft Graph activity logs, sample queries, and more in our documentation. 


Kristopher Bash 

Product Manager, Microsoft Graph 



Learn more about Microsoft Entra: 

Published on:

Learn more
Azure Active Directory Identity Blog articles
Azure Active Directory Identity Blog articles

Azure Active Directory Identity Blog articles

Share post:

Related posts

Microsoft Copilot (Microsoft 365): Reference data from the Microsoft cloud when drafting with Copilot in Word

Microsoft Copilot, a feature in Microsoft 365, now allows users to reference specific emails, chats, meetings, and people when drafting in Wor...

1 day ago

Microsoft Copilot (Microsoft 365): Reference PDF files in Copilot in Word

Microsoft has announced a new feature in Microsoft 365 called Microsoft Copilot which now allows users to reference PDF files in Copilot while...

1 day ago

Microsoft Copilot (Microsoft 365): Longer documents can be summarized in chat

Microsoft Copilot, a feature in Word, has been updated to provide complete summaries of longer documents that it could only partially summariz...

1 day ago

Microsoft Copilot (Microsoft 365): Automatic summary of documents on file-open in Word

Microsoft Copilot is set to revolutionize the way we work with documents on Microsoft 365. With Copilot, you can generate automatic summaries ...

1 day ago

Microsoft Copilot (Microsoft 365): Get started on a draft immediately with example prompts

If you are looking to get a head start on drafting a document, look no further than Microsoft Copilot. This feature, available in Word, provid...

1 day ago

SharePoint PnP Viva Connections & SPFx JS SIG Call – June 13th, 2024 – Screenshot Summary

Community Call Highlights   SharePoint Quicklinks: Primary Community Websites: https://aka.ms/m365pnp —– PnP Sharing Is Caring: Pn...

2 days ago

Microsoft Teams: Webinar creation and registration Graph APIs

Microsoft Teams is set to introduce new Graph APIs that will make it easier for organizations to manage webinars programmatically, with no nee...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy