Graph activity logs is now generally available

What you do with it?

  • Microsoft Graph tracks all activity (API requests) within your organization (tenant).
  • This includes actions from programs (line of business applications, API clients, SDKs) and Microsoft services (Outlook, Teams, Entra admin center).
  • IT admins can enable logging and choose destinations for the data:
    • Store in Azure Monitor for analysis.
    • Export to Azure Storage for long-term keeping.
    • Stream to external security tools for investigation.


To access the Microsoft Graph activity logs, you need the following privileges.

  • A Microsoft Entra ID P1 or P2 tenant license in your tenant.
  • An administrator with one of the following Microsoft Entra administrator roles listed in the order of least to most privileged role.
    • Security Administrator – To configure diagnostic settings
    • Global Administrator – To configure diagnostic settings
  • An Azure subscription with one of the following log destinations are configured, and permissions to access data in the corresponding log destinations.
    • An Azure Log Analytics workspace to send logs to Azure Monitor
    • An Azure Storage Account for which you have List Keys permissions
    • An Azure Event Hubs namespace to integrate with third-party solutions

What information is available?

AadTenantIdstringThe Azure AD tenant ID.
ApiVersionstringThe API version of the event.
AppIdstringThe identifier for the application.
ATContentstringReserved for future use.
_BilledSizerealThe record size in bytes
ClientAuthMethodintIndicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2.
ClientRequestIdstringOptional. The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier.
DurationMsintThe duration of the request in milliseconds.
IdentityProviderstringThe identity provider that authenticated the subject of the token.
IPAddressstringThe IP address of the client from where the request occurred.
_IsBillablestringSpecifies whether ingesting the data is billable. When _IsBillable is false ingestion isn’t billed to your Azure account
LocationstringThe name of the region that served the request.
OperationIdstringThe identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch.
RequestIdstringThe identifier representing the request.
RequestMethodstringThe HTTP method of the event.
RequestUristringThe URI of the request.
ResponseSizeBytesintThe size of the response in Bytes.
ResponseStatusCodeintThe HTTP response status code for the event.
RolesstringThe roles in token claims.
ScopesstringThe scopes in token claims.
ServicePrincipalIdstringThe identifier of the servicePrincipal making the request.
SignInActivityIdstringThe identifier representing the sign-in activitys.
SourceSystemstringThe type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantIdstringThe Log Analytics workspace ID
TimeGenerateddatetimeThe date and time the request was received.
TokenIssuedAtdatetimeThe timestamp the token was issued at.
TypestringThe name of the table
UserAgentstringThe user agent information related to request.
UserIdstringThe identifier of the user making the request.
WidsstringDenotes the tenant-wide roles assigned to this user.

Diagnostics settings

Azure monitor logs

Azure Monitor gives information from the following resources

And adds these logs from Graph (the same list than above)

M365 Copilot

Let’s see first Copilot architecture and when see discuss on the Tenant concept in Graph Logs, it will be displayed below.

And to go a little deeper for the workflow.

  • User Devices: These have Microsoft 365 apps where users can interact with Copilot.
  • Copilot Service: This acts like a conductor, taking user prompts and coordinating the response.
  • Microsoft Graph (Tenant Instance): This acts like a personal library for Copilot, containing your organization’s data stored within Microsoft 365.
  • Microsoft 365 Tenant: This is your organization’s central hub for Microsoft 365 services and data.

Now when you see this and remember this. All logs for API requests made from line of business applications, API clients, SDKs, and by Microsoft applications like Outlook, Microsoft Teams, or the Microsoft Entra admin center are available.

An M365 tenant is like your organization’s own block within Microsoft 365. It keeps all your company’s stuff separate from everyone else’s but you have to know who connects to it.

After reading this you should realize why you need to collect these logs, right?

Purview Unified Audit Log

You can also use Purview for the logs for Copilot interactions.

Search in Microsoft Purview Audit (Standard) and Audit (Premium) give your organization access to critical audit log event data to gain insight and further investigate user activities.

And what you see from Copilot activities.


So keep your friends close but enemies closer and gather those logs, you never when you need them.

See here for the Announcement

Author: Harri Jaakkonen