Table of Contents
What you do with it?
- Microsoft Graph tracks all activity (API requests) within your organization (tenant).
- This includes actions from programs (line of business applications, API clients, SDKs) and Microsoft services (Outlook, Teams, Entra admin center).
- IT admins can enable logging and choose destinations for the data:
- Store in Azure Monitor for analysis.
- Export to Azure Storage for long-term keeping.
- Stream to external security tools for investigation.
Privileges
To access the Microsoft Graph activity logs, you need the following privileges.
- A Microsoft Entra ID P1 or P2 tenant license in your tenant.
- An administrator with one of the following Microsoft Entra administrator roles listed in the order of least to most privileged role.
- Security Administrator – To configure diagnostic settings
- Global Administrator – To configure diagnostic settings
- An Azure subscription with one of the following log destinations are configured, and permissions to access data in the corresponding log destinations.
- An Azure Log Analytics workspace to send logs to Azure Monitor
- An Azure Storage Account for which you have List Keys permissions
- An Azure Event Hubs namespace to integrate with third-party solutions
What information is available?
| Column | Type | Description |
|---|---|---|
| AadTenantId | string | The Azure AD tenant ID. |
| ApiVersion | string | The API version of the event. |
| AppId | string | The identifier for the application. |
| ATContent | string | Reserved for future use. |
| _BilledSize | real | The record size in bytes |
| ClientAuthMethod | int | Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2. |
| ClientRequestId | string | Optional. The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier. |
| DurationMs | int | The duration of the request in milliseconds. |
| IdentityProvider | string | The identity provider that authenticated the subject of the token. |
| IPAddress | string | The IP address of the client from where the request occurred. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn’t billed to your Azure account |
| Location | string | The name of the region that served the request. |
| OperationId | string | The identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch. |
| RequestId | string | The identifier representing the request. |
| RequestMethod | string | The HTTP method of the event. |
| RequestUri | string | The URI of the request. |
| ResponseSizeBytes | int | The size of the response in Bytes. |
| ResponseStatusCode | int | The HTTP response status code for the event. |
| Roles | string | The roles in token claims. |
| Scopes | string | The scopes in token claims. |
| ServicePrincipalId | string | The identifier of the servicePrincipal making the request. |
| SignInActivityId | string | The identifier representing the sign-in activitys. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time the request was received. |
| TokenIssuedAt | datetime | The timestamp the token was issued at. |
| Type | string | The name of the table |
| UserAgent | string | The user agent information related to request. |
| UserId | string | The identifier of the user making the request. |
| Wids | string | Denotes the tenant-wide roles assigned to this user. |
Diagnostics settings
Azure monitor logs
Azure Monitor gives information from the following resources
And adds these logs from Graph (the same list than above)
M365 Copilot
Let’s see first Copilot architecture and when see discuss on the Tenant concept in Graph Logs, it will be displayed below.
And to go a little deeper for the workflow.
- User Devices: These have Microsoft 365 apps where users can interact with Copilot.
- Copilot Service: This acts like a conductor, taking user prompts and coordinating the response.
- Microsoft Graph (Tenant Instance): This acts like a personal library for Copilot, containing your organization’s data stored within Microsoft 365.
- Microsoft 365 Tenant: This is your organization’s central hub for Microsoft 365 services and data.
Now when you see this and remember this. All logs for API requests made from line of business applications, API clients, SDKs, and by Microsoft applications like Outlook, Microsoft Teams, or the Microsoft Entra admin center are available.
An M365 tenant is like your organization’s own block within Microsoft 365. It keeps all your company’s stuff separate from everyone else’s but you have to know who connects to it.
After reading this you should realize why you need to collect these logs, right?
Purview Unified Audit Log
You can also use Purview for the logs for Copilot interactions.
Search in Microsoft Purview Audit (Standard) and Audit (Premium) give your organization access to critical audit log event data to gain insight and further investigate user activities.
And what you see from Copilot activities.
Closure
So keep your friends close but enemies closer and gather those logs, you never when you need them.
See here for the Announcement
RSS - Posts