AuditLog.Read.All | Graph Permissions

Permission Details

Application Permission

Read all audit log data

Allows the app to read and query your audit log activities, without a signed-in user.

Permission ID: b0afded3-3588-46d8-8b3d-9842eff778da

Delegated Permission

Read audit log data

Allows the app to read and query your audit log activities, on behalf of the signed-in user.

Permission ID: e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20

Properties

Microsoft Graph v1.0 mapped-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`activityDateTime`	`DateTimeOffset`	Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, ge, le) and $orderby.
`activityDisplayName`	`String`	Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For a list of activities logged, refer to Microsoft Entra audit log categories and activities. Supports $filter (eq, startswith).
`additionalDetails`	`keyValue collection`	Indicates additional details on the activity.
`category`	`String`	Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement. For a list of categories for activities logged, refer to Microsoft Entra audit log categories and activities.
`correlationId`	`Guid`Nullable	Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services. Supports $filter (eq).
`id`	`String`	Indicates the unique ID for the activity. This is a GUID. Supports $filter (eq).
`initiatedBy`	`auditActivityInitiator`	Indicates information about the user or app initiated the activity. Supports $filter (eq) for user/id, user/displayName, user/userPrincipalName, app/appId, app/displayName; and $filter (startswith) for user/userPrincipalName.
`loggedByService`	`String`Nullable	Indicates information on which service initiated the activity (For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management. Supports $filter (eq).
`operationType`	`String`Nullable	Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add, Assign, Update, Unassign, and Delete.
`result`	`operationResult`	Indicates the result of the activity. The possible values are: success, failure, timeout, unknownFutureValue.
`resultReason`	`String`Nullable	Indicates the reason for failure if the result is failure or timeout.
`targetResources`	`targetResource collection`	Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other. Supports $filter (eq) for id and displayName; and $filter (startswith) for displayName.

JSON Representation

Microsoft Graph v1.0 mapped-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "activityDateTime": "String (timestamp)",
  "activityDisplayName": "String",
  "additionalDetails": [
    {
      "@odata.type": "microsoft.graph.keyValue"
    }
  ],
  "category": "String",
  "correlationId": "Guid",
  "id": "String (identifier)",
  "initiatedBy": {
    "@odata.type": "microsoft.graph.auditActivityInitiator"
  },
  "loggedByService": "String",
  "operationType": "String",
  "result": "String",
  "resultReason": "String",
  "targetResources": [
    {
      "@odata.type": "microsoft.graph.targetResource"
    }
  ]
}

Relationships

Microsoft Graph v1.0 schema-derived

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`additionalDetails`	`keyValue collection`	Indicates additional details on the activity.
`initiatedBy`	`auditActivityInitiator`	Related initiatedBy data exposed by this resource.
`targetResources`	`targetResource collection`	Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other. Supports $filter (eq) for id and displayName; and $filter (startswith) for displayName.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/auditLogs/directoryaudits`
GET `/auditLogs/directoryAudits/{id}`
GET `/auditLogs/provisioning`
GET `/auditLogs/signIns`
GET `/auditLogs/signIns/{id}`
GET `/reports/authenticationMethods/userRegistrationDetails`
GET `/reports/authenticationMethods/userRegistrationDetails/{userId}`
GET `/reports/authenticationMethods/usersRegisteredByFeature`
GET `/reports/authenticationMethods/usersRegisteredByMethod`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/auditLogs/auditActivityTypes`
GET `/auditLogs/directoryAudits`
GET `/auditLogs/directoryAudits/{id}`
GET `/auditLogs/getSummarizedMSISignIns(aggregationWindow='{aggregationWindow}')`
GET `/auditLogs/getSummarizedNonInteractiveSignIns(aggregationWindow='{aggregationWindow}')`
GET `/auditLogs/getSummarizedServicePrincipalSignIns(aggregationWindow='{aggregationWindow}')`
GET `/auditLogs/provisioning`
GET `/auditLogs/signInEventsAppSummary`
GET `/auditLogs/signInEventsSummary`
GET `/auditLogs/signIns`
GET `/auditLogs/signIns/{id}`
GET `/auditLogs/signUps`
GET `/auditLogs/signUps/{id}`
GET `/reports/appCredentialSignInActivities`
GET `/reports/appCredentialSignInActivities/{appCredentialSignInActivityId}`
GET `/reports/authenticationMethods/userEventsSummary`
GET `/reports/authenticationMethods/userMfaSignInSummary`
GET `/reports/authenticationMethods/userPasswordResetsAndChangesSummary`
GET `/reports/authenticationMethods/userRegistrationActivity(period='{period}')`
GET `/reports/authenticationMethods/userRegistrationDetails`
GET `/reports/authenticationMethods/userRegistrationDetails/{userId}`
GET `/reports/authenticationMethods/userSignInsByAuthMethodSummary(period='{period}')`
GET `/reports/authenticationMethods/usersRegisteredByFeature`
GET `/reports/authenticationMethods/usersRegisteredByMethod`
GET `/reports/servicePrincipalSignInActivities`
GET `/reports/servicePrincipalSignInActivities/{servicePrincipalSignInActivityId}`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgAuditLogDirectoryAudit` /auditLogs/directoryaudits List directoryAudits
`Get-MgAuditLogDirectoryAudit` /auditLogs/directoryAudits/{id} Get directoryAudit
`Get-MgAuditLogProvisioning` /auditLogs/provisioning List provisioningObjectSummary
`Get-MgAuditLogSignIn` /auditLogs/signIns List signIns
`Get-MgAuditLogSignIn` /auditLogs/signIns/{id} Get signIn
`Get-MgReportAuthenticationMethodUserRegistrationDetail` /reports/authenticationMethods/userRegistrationDetails List userRegistrationDetails
`Get-MgReportAuthenticationMethodUserRegistrationDetail` /reports/authenticationMethods/userRegistrationDetails/{userId} Get userRegistrationDetails

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaAuditLogDirectoryAudit` /auditLogs/directoryAudits List directoryAudits
`Get-MgBetaAuditLogDirectoryAudit` /auditLogs/directoryAudits/{id} Get directoryAudit
`Get-MgBetaAuditLogProvisioning` /auditLogs/provisioning List provisioningObjectSummary
`Get-MgBetaAuditLogSignIn` /auditLogs/signIns List signIns
`Get-MgBetaAuditLogSignIn` /auditLogs/signIns/{id} Get signIn
`Get-MgBetaAuditLogSignUp` /auditLogs/signUps List signUps
`Get-MgBetaAuditLogSignUp` /auditLogs/signUps/{id} Get selfServiceSignUp
`Get-MgBetaReportAppCredentialSignInActivity` /reports/appCredentialSignInActivities List appCredentialSignInActivities
`Get-MgBetaReportAppCredentialSignInActivity` /reports/appCredentialSignInActivities/{appCredentialSignInActivityId} Get appCredentialSignInActivity
`Get-MgBetaReportAuthenticationMethodUserEventSummary` /reports/authenticationMethods/userEventsSummary List userEventsSummary objects
`Get-MgBetaReportAuthenticationMethodUserMfaSignInSummary` /reports/authenticationMethods/userMfaSignInSummary List userMfaSignInSummary objects
`Get-MgBetaReportAuthenticationMethodUserPasswordResetAndChangeSummary` /reports/authenticationMethods/userPasswordResetsAndChangesSummary List userPasswordResetsAndChangesSummary objects
`Get-MgBetaReportAuthenticationMethodUserRegistrationDetail` /reports/authenticationMethods/userRegistrationDetails List userRegistrationDetails
`Get-MgBetaReportAuthenticationMethodUserRegistrationDetail` /reports/authenticationMethods/userRegistrationDetails/{userId} Get userRegistrationDetails
`Get-MgBetaReportServicePrincipalSignInActivity` /reports/servicePrincipalSignInActivities List servicePrincipalSignInActivities
`Get-MgBetaReportServicePrincipalSignInActivity` /reports/servicePrincipalSignInActivities/{servicePrincipalSignInActivityId} Get servicePrincipalSignInActivity
`Invoke-MgBetaSignReportAuthenticationMethod` /reports/authenticationMethods/userSignInsByAuthMethodSummary(period='{period}') authenticationMethodsRoot: userSignInsByAuthMethodSummary
`Invoke-MgBetaUserReportAuthenticationMethodRegistrationActivity` /reports/authenticationMethods/userRegistrationActivity(period='{period}') authenticationMethodsRoot: userRegistrationActivity

Code Examples

C# / .NET SDK

Get directoryAudit

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.AuditLogs.DirectoryAudits["{directoryAudit-id}"].GetAsync();

JavaScript

authenticationMethodsRoot: usersRegisteredByFeature

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

let userRegistrationFeatureSummary = await client.api('/reports/authenticationMethods/usersRegisteredByFeature(includedUserTypes='all',includedUserRoles='all')')
	.get();

PowerShell

Get directoryAudit

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Reports

Get-MgAuditLogDirectoryAudit -DirectoryAuditId $directoryAuditId

Python

Get directoryAudit

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.audit_logs.directory_audits.by_directory_audit_id('directoryAudit-id').get()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for AuditLog.Read.All

4

Grant Admin Consent

Application permissions always require admin consent.