Microsoft Graph activity logs is now generally available
Image Source:
Microsoft Entra
Apr 11, 2024 11:16 PM

Microsoft Graph activity logs is now generally available

by HubSite 365 about Microsoft

Software Development Redmond, Washington

AdministratorMicrosoft EntraM365 ReleaseM365 Admin

Boost Security: Microsoft Graph Activity Logs Now Available for Insights & Threat Hunting

Key insights




  • Microsoft Graph activity logs are now widely available, providing visibility into HTTP requests made to the Microsoft Graph service in your tenant.
  • Security analysis, threat hunting, and monitoring application activity in your tenant are some critical capabilities enabled by these logs.
  • Use cases include identifying compromised user activities, detecting suspicious API uses, investigating privileged application permissions, and tracking client application behaviors such as excessive call volumes.
  • Alongside sign-in and audit logs, Microsoft Graph activity logs offer a comprehensive view of tenant activity, covering token requests, API activities (reads, writes, deletes), and resource changes.
  • Microsoft includes features like Log Transformation and Basic Log capabilities to reduce cost concerns for log ingestion into Log Analytics, along with providing guidance on working with logs through example queries.

Microsoft Graph Activity Logs

Microsoft Graph activity logs provide an essential tool for administrators and security professionals to gain insights into the interactions with Microsoft Graph services within their environment. By offering detailed information about HTTP requests made to the Microsoft Graph, these logs are a key resource for enhancing security measures and ensuring the smooth operation of applications relying on Microsoft services. The logs enable users to conduct in-depth security analysis, pursue proactive threat hunting, and monitor application activities, thus playing a crucial role in safeguarding against security threats and attacks.

Some common use cases include:

  • Identifying the activities that a compromised user account conducted in your tenant.
  • Building detections and behavioral analysis to identify suspicious or anomalous use of Microsoft Graph APIs, such as an application enumerating all users, or making probing requests with many 403 errors.
  • Investigating unexpected or unnecessarily privileged assignments of application permissions.
  • Identifying problematic or unexpected behaviors for client applications, such as extreme call volumes that cause throttling for the tenant.

Furthermore, the availability of these logs supports compliance with security policies and regulations by allowing the tracking of suspicious activities, potential security breaches, and unusual application behaviors. With the addition of log transformation and cost-reducing capabilities, Microsoft has made it easier and more affordable for organizations to integrate these logs into their security and monitoring frameworks. The ability to combine Microsoft Graph activity logs with sign-in and audit logs provides a holistic view of tenant activities, making it a valuable asset for administrators aiming to maintain a secure and efficient IT environment.

Read the full article Microsoft Graph activity logs is now generally available

Microsoft Graph - Microsoft Graph Activity Logs Launches for All Users

People also ask

How do I enable activity log in Azure?

Enabling activity log insights can be done at both the resource group and subscription levels to allow for a detailed view of activities.

Where are Azure activity logs stored?

In Azure, activity logs are captured and stored within a Log Analytics workspace, specifically in a table named AzureActivity. This data can be retrieved through the execution of log queries within Log Analytics.

How do I access Azure logs?

To access Azure logs, navigate to the Identity > Monitoring & health > Diagnostic settings section. From there, you can select the logs you wish to stream, opt for the Stream to an event hub, and fill in the necessary fields. Guidelines on ingesting data from Azure Event Hubs into third-party tools are typically provided by the independent security vendor.

What is an activity log?

An activity log, also known as Activity Diary or Job Activity Log, serves as a detailed written record capturing how one's time is spent throughout the day. Maintaining an activity log for a few days can help in gaining an accurate understanding of daily time investment and activities.



Microsoft Graph, activity logs, generally available, Graph API, Microsoft 365, API access, integration, real-time monitoring