openapi: 3.1.0 info: title: Microsoft Graph Audit Logs API description: The Microsoft Graph Audit Logs API provides access to Microsoft Entra ID audit logs, including directory audits, sign-in logs, and provisioning logs. This enables monitoring and reviewing user activities, authentication events, and provisioning operations across your tenant. version: 1.0.0 contact: name: Microsoft Graph Support url: https://developer.microsoft.com/graph license: name: Microsoft API License url: https://docs.microsoft.com/legal/microsoft-apis/terms-of-use servers: - url: https://graph.microsoft.com/v1.0 description: Microsoft Graph v1.0 endpoint paths: /auditLogs: description: Provides operations to manage the auditLogRoot singleton. get: tags: - Audit Logs summary: Microsoft Graph Get auditLogs description: Performs GET operation on /auditLogs operationId: listAuditLogs parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved entity content: application/json: schema: $ref: '#/components/schemas/AuditLogRoot' examples: AuditLogRootExample: $ref: '#/components/examples/AuditLogRootExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation patch: tags: - Audit Logs summary: Microsoft Graph Update auditLogs description: Performs PATCH operation on /auditLogs operationId: updateAuditLogs requestBody: description: New property values content: application/json: schema: $ref: '#/components/schemas/AuditLogRoot' examples: AuditLogRootRequestExample: $ref: '#/components/examples/AuditLogRootRequestExample' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/AuditLogRoot' examples: AuditLogRootExample: $ref: '#/components/examples/AuditLogRootExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation /auditLogs/directoryAudits: description: Provides operations to manage the directoryAudits property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Directory Audits summary: Microsoft Graph List directoryAudits description: Get the list of audit logs generated by Microsoft Entra ID. This includes audit logs generated by various services within Microsoft Entra ID, including user, app, device and group Management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (self-service and admin password resets), and self- service group management, and so on. operationId: listAuditLogsDirectoryAudits externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/directoryaudit-list?view=graph-rest-1.0 parameters: - $ref: '#/components/parameters/Top' - $ref: '#/components/parameters/Skip' - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' - $ref: '#/components/parameters/Count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: '#/components/responses/DirectoryAuditCollectionResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - Audit Logs Directory Audits summary: Microsoft Graph Create Directory Audits description: Performs POST operation on /auditLogs/directoryAudits operationId: createAuditLogsDirectoryAudits requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/DirectoryAudit' examples: DirectoryAuditRequestExample: $ref: '#/components/examples/DirectoryAuditRequestExample' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/DirectoryAudit' examples: DirectoryAuditExample: $ref: '#/components/examples/DirectoryAuditExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation /auditLogs/directoryAudits/{directoryAudit-id}: description: Provides operations to manage the directoryAudits property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Directory Audits summary: Microsoft Graph Get directoryAudit description: Get a specific Microsoft Entra audit log item. This includes an audit log item generated by various services within Microsoft Entra ID like user, application, device and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (self-service and admin password resets), self-service group management, and so on. operationId: getAuditLogsDirectoryAudits externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/directoryaudit-get?view=graph-rest-1.0 parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/DirectoryAudit' examples: DirectoryAuditExample: $ref: '#/components/examples/DirectoryAuditExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation patch: tags: - Audit Logs Directory Audits summary: Microsoft Graph Update Directory Audits description: Performs PATCH operation on /auditLogs/directoryAudits/{directoryAudit-id} operationId: updateAuditLogsDirectoryAudits requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/DirectoryAudit' examples: DirectoryAuditRequestExample: $ref: '#/components/examples/DirectoryAuditRequestExample' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/DirectoryAudit' examples: DirectoryAuditExample: $ref: '#/components/examples/DirectoryAuditExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation delete: tags: - Audit Logs Directory Audits summary: Microsoft Graph Delete Directory Audits description: Performs DELETE operation on /auditLogs/directoryAudits/{directoryAudit-id} operationId: deleteAuditLogsDirectoryAudits parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: operation parameters: - name: directoryAudit-id in: path description: The unique identifier of directoryAudit required: true schema: type: string x-ms-docs-key-type: directoryAudit /auditLogs/directoryAudits/$count: description: Provides operations to count the resources in the collection. get: tags: - Audit Logs Directory Audits summary: Microsoft Graph Get the number of the resource description: Performs GET operation on /auditLogs/directoryAudits/$count operationId: countAuditLogsDirectoryAudits parameters: - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX /auditLogs/provisioning: description: Provides operations to manage the provisioning property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Provisioning summary: Microsoft Graph List provisioningObjectSummary description: 'Get all provisioning events that occurred in your tenant, such as the deletion of a group in a target application or the creation of a user when provisioning user accounts from your HR system. ' operationId: provisionAuditLogsProvisioning externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/provisioningobjectsummary-list?view=graph-rest-1.0 parameters: - $ref: '#/components/parameters/Top' - $ref: '#/components/parameters/Skip' - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' - $ref: '#/components/parameters/Count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: '#/components/responses/ProvisioningObjectSummaryCollectionResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - Audit Logs Provisioning summary: Microsoft Graph Create Provisioning description: Performs POST operation on /auditLogs/provisioning operationId: provisionAuditLogsProvisioning1 requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/ProvisioningObjectSummary' examples: ProvisioningObjectSummaryRequestExample: $ref: '#/components/examples/ProvisioningObjectSummaryRequestExample' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/ProvisioningObjectSummary' examples: ProvisioningObjectSummaryExample: $ref: '#/components/examples/ProvisioningObjectSummaryExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation /auditLogs/provisioning/{provisioningObjectSummary-id}: description: Provides operations to manage the provisioning property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Provisioning summary: Microsoft Graph Get provisioning from auditLogs description: Performs GET operation on /auditLogs/provisioning/{provisioningObjectSummary-id} operationId: provisionAuditLogsProvisioning2 parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/ProvisioningObjectSummary' examples: ProvisioningObjectSummaryExample: $ref: '#/components/examples/ProvisioningObjectSummaryExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation patch: tags: - Audit Logs Provisioning summary: Microsoft Graph Update Provisioning description: Performs PATCH operation on /auditLogs/provisioning/{provisioningObjectSummary-id} operationId: provisionAuditLogsProvisioning3 requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/ProvisioningObjectSummary' examples: ProvisioningObjectSummaryRequestExample: $ref: '#/components/examples/ProvisioningObjectSummaryRequestExample' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/ProvisioningObjectSummary' examples: ProvisioningObjectSummaryExample: $ref: '#/components/examples/ProvisioningObjectSummaryExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation delete: tags: - Audit Logs Provisioning summary: Microsoft Graph Delete Provisioning description: Performs DELETE operation on /auditLogs/provisioning/{provisioningObjectSummary-id} operationId: provisionAuditLogsProvisioning4 parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: operation parameters: - name: provisioningObjectSummary-id in: path description: The unique identifier of provisioningObjectSummary required: true schema: type: string x-ms-docs-key-type: provisioningObjectSummary /auditLogs/provisioning/$count: description: Provides operations to count the resources in the collection. get: tags: - Audit Logs Provisioning summary: Microsoft Graph Get the number of the resource description: Performs GET operation on /auditLogs/provisioning/$count operationId: provisionAuditLogsProvisioning5 parameters: - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX /auditLogs/signIns: description: Provides operations to manage the signIns property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Sign Ins summary: Microsoft Graph List signIns description: Retrieve the Microsoft Entra user sign-ins for your tenant. Sign-ins that are interactive in nature (where a username/password is passed as part of auth token) and successful federated sign-ins are currently included in the sign-in logs. The maximum and default page size is 1,000 objects and by default, the most recent sign-ins are returned first. Only sign-in events that occurred within the Microsoft Entra ID default retention period are available. operationId: listAuditLogsSignIns externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/signin-list?view=graph-rest-1.0 parameters: - $ref: '#/components/parameters/Top' - $ref: '#/components/parameters/Skip' - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' - $ref: '#/components/parameters/Count' - name: $orderby in: query description: Order items by property values style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: $ref: '#/components/responses/SignInCollectionResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-pageable: nextLinkName: '@odata.nextLink' operationName: listMore x-ms-docs-operation-type: operation post: tags: - Audit Logs Sign Ins summary: Microsoft Graph Create Sign Ins description: Performs POST operation on /auditLogs/signIns operationId: createAuditLogsSignIns requestBody: description: New navigation property content: application/json: schema: $ref: '#/components/schemas/SignIn' examples: SignInRequestExample: $ref: '#/components/examples/SignInRequestExample' required: true responses: 2XX: description: Created navigation property. content: application/json: schema: $ref: '#/components/schemas/SignIn' examples: SignInExample: $ref: '#/components/examples/SignInExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation /auditLogs/signIns/{signIn-id}: description: Provides operations to manage the signIns property of the microsoft.graph.auditLogRoot entity. get: tags: - Audit Logs Sign Ins summary: Microsoft Graph Get signIn description: Retrieve a specific Microsoft Entra user sign-in event for your tenant. Sign-ins that are interactive in nature (where a username/password is passed as part of auth token) and successful federated sign-ins are currently included in the sign-in logs. operationId: getAuditLogsSignIns externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/signin-get?view=graph-rest-1.0 parameters: - name: $select in: query description: Select properties to be returned style: form explode: false schema: uniqueItems: true type: array items: type: string - name: $expand in: query description: Expand related entities style: form explode: false schema: uniqueItems: true type: array items: type: string responses: 2XX: description: Retrieved navigation property content: application/json: schema: $ref: '#/components/schemas/SignIn' examples: SignInExample: $ref: '#/components/examples/SignInExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation patch: tags: - Audit Logs Sign Ins summary: Microsoft Graph Update Sign Ins description: Performs PATCH operation on /auditLogs/signIns/{signIn-id} operationId: updateAuditLogsSignIns requestBody: description: New navigation property values content: application/json: schema: $ref: '#/components/schemas/SignIn' examples: SignInRequestExample: $ref: '#/components/examples/SignInRequestExample' required: true responses: 2XX: description: Success content: application/json: schema: $ref: '#/components/schemas/SignIn' examples: SignInExample: $ref: '#/components/examples/SignInExample' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX x-ms-docs-operation-type: operation delete: tags: - Audit Logs Sign Ins summary: Microsoft Graph Delete Sign Ins description: Performs DELETE operation on /auditLogs/signIns/{signIn-id} operationId: deleteAuditLogsSignIns parameters: - name: If-Match in: header description: ETag schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: operation parameters: - name: signIn-id in: path description: The unique identifier of signIn required: true schema: type: string x-ms-docs-key-type: signIn /auditLogs/signIns/$count: description: Provides operations to count the resources in the collection. get: tags: - Audit Logs Sign Ins summary: Microsoft Graph Get the number of the resource description: Performs GET operation on /auditLogs/signIns/$count operationId: countAuditLogsSignIns parameters: - $ref: '#/components/parameters/Search' - $ref: '#/components/parameters/Filter' responses: 2XX: $ref: '#/components/responses/ODataCountResponse' 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: 2XX /auditLogs/signIns/confirmCompromised: description: Provides operations to call the confirmCompromised method. post: tags: - Audit Logs Sign Ins summary: Microsoft Graph Create Confirm Compromised description: Mark an event in the Microsoft Entra sign-in logs as risky. Events marked as risky by an admin are immediately flagged as high risk in Microsoft Entra ID Protection, overriding previous risk states. Admins can confirm that events flagged as risky by Microsoft Entra ID Protection are in fact risky. For details about investigating Identity Protection risks, see How to investigate risk. operationId: confirmCompromisedAuditLogsSignIns externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/signin-confirmcompromised?view=graph-rest-1.0 requestBody: description: Action parameters content: application/json: schema: type: object properties: requestIds: type: array items: type: string nullable: true examples: confirmCompromisedAuditLogsSignInsRequestExample: $ref: '#/components/examples/confirmCompromisedAuditLogsSignInsRequestExample' required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: action /auditLogs/signIns/confirmSafe: description: Provides operations to call the confirmSafe method. post: tags: - Audit Logs Sign Ins summary: Microsoft Graph Create Confirm Safe description: Mark an event in Microsoft Entra sign-in logs as safe. Admins can either mark the events flagged as risky by Microsoft Entra ID Protection as safe, or they can mark unflagged events as safe. For details about investigating Identity Protection risks, see How to investigate risk. operationId: confirmSafeAuditLogsSignIns externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/signin-confirmsafe?view=graph-rest-1.0 requestBody: description: Action parameters content: application/json: schema: type: object properties: requestIds: type: array items: type: string nullable: true examples: confirmSafeAuditLogsSignInsRequestExample: $ref: '#/components/examples/confirmSafeAuditLogsSignInsRequestExample' required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: action /auditLogs/signIns/dismiss: description: Provides operations to call the dismiss method. post: tags: - Audit Logs Sign Ins summary: Microsoft Graph Create Dismiss description: Mark an event in Microsoft Entra sign-in logs as dismissed. For details about investigating Identity Protection risks, see How to investigate risk. operationId: dismissAuditLogsSignIns externalDocs: description: Find more info here url: https://learn.microsoft.com/graph/api/signin-dismiss?view=graph-rest-1.0 requestBody: description: Action parameters content: application/json: schema: type: object properties: requestIds: type: array items: type: string nullable: true examples: dismissAuditLogsSignInsRequestExample: $ref: '#/components/examples/dismissAuditLogsSignInsRequestExample' required: true responses: '204': description: Success 4XX: $ref: '#/components/responses/error' 5XX: $ref: '#/components/responses/error' x-microcks-operation: delay: 100 dispatcher: FALLBACK dispatcherRules: '204' x-ms-docs-operation-type: action tags: - name: Audit Logs description: Operations for accessing audit log data - name: Audit Logs Directory Audits description: Operations for accessing audit log data - name: Audit Logs Provisioning description: Operations for accessing audit log data - name: Audit Logs Sign Ins description: Operations for accessing audit log data components: schemas: AuditLogRoot: allOf: - $ref: '#/components/schemas/Entity' - title: auditLogRoot required: - '@odata.type' type: object properties: directoryAudits: type: array items: $ref: '#/components/schemas/DirectoryAudit' x-ms-navigationProperty: true provisioning: type: array items: $ref: '#/components/schemas/ProvisioningObjectSummary' x-ms-navigationProperty: true signIns: type: array items: $ref: '#/components/schemas/SignIn' x-ms-navigationProperty: true '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.auditLogRoot' DirectoryAudit: allOf: - $ref: '#/components/schemas/Entity' - title: directoryAudit required: - '@odata.type' type: object properties: activityDateTime: pattern: ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: Indicates the date and time the activity was performed. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, ge, le) and $orderby. format: date-time activityDisplayName: type: string description: 'Indicates the activity name or the operation name (examples: ''Create User'' and ''Add member to group''). For a list of activities logged, refer to Microsoft Entra audit log categories and activities. Supports $filter (eq, startswith).' additionalDetails: type: array items: $ref: '#/components/schemas/KeyValue' description: Indicates additional details on the activity. category: type: string description: 'Indicates which resource category that''s targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement. For a list of categories for activities logged, refer to Microsoft Entra audit log categories and activities.' correlationId: type: string description: Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services. Supports $filter (eq). nullable: true initiatedBy: $ref: '#/components/schemas/AuditActivityInitiator' loggedByService: type: string description: 'Indicates information on which service initiated the activity (For example: Self-service Password Management, Core Directory, B2C, Invited Users, Microsoft Identity Manager, Privileged Identity Management. Supports $filter (eq).' nullable: true operationType: type: string description: 'Indicates the type of operation that was performed. The possible values include but are not limited to the following: Add, Assign, Update, Unassign, and Delete.' nullable: true result: anyOf: - $ref: '#/components/schemas/OperationResult' - type: object nullable: true description: 'Indicates the result of the activity. The possible values are: success, failure, timeout, unknownFutureValue.' resultReason: type: string description: Indicates the reason for failure if the result is failure or timeout. nullable: true targetResources: type: array items: $ref: '#/components/schemas/TargetResource' description: Indicates information on which resource was changed due to the activity. Target Resource Type can be User, Device, Directory, App, Role, Group, Policy or Other. Supports $filter (eq) for id and displayName; and $filter (startswith) for displayName. '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.directoryAudit' ProvisioningObjectSummary: allOf: - $ref: '#/components/schemas/Entity' - title: provisioningObjectSummary required: - '@odata.type' type: object properties: activityDateTime: pattern: ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: Represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. SUpports $filter (eq, gt, lt) and orderby. format: date-time changeId: type: string description: Unique ID of this change in this cycle. Supports $filter (eq, contains). nullable: true cycleId: type: string description: Unique ID per job iteration. Supports $filter (eq, contains). nullable: true durationInMilliseconds: maximum: 2147483647 minimum: -2147483648 type: number description: Indicates how long this provisioning action took to finish. Measured in milliseconds. format: int32 nullable: true initiatedBy: anyOf: - $ref: '#/components/schemas/Initiator' - type: object nullable: true description: Details of who initiated this provisioning. Supports $filter (eq, contains). jobId: type: string description: The unique ID for the whole provisioning job. Supports $filter (eq, contains). nullable: true modifiedProperties: type: array items: $ref: '#/components/schemas/ModifiedProperty' description: Details of each property that was modified in this provisioning action on this object. provisioningAction: anyOf: - $ref: '#/components/schemas/ProvisioningAction' - type: object nullable: true description: 'Indicates the activity name or the operation name. The possible values are: create, update, delete, stageddelete, disable, other and unknownFutureValue. For a list of activities logged, refer to Microsoft Entra activity list. Supports $filter (eq, contains).' provisioningStatusInfo: anyOf: - $ref: '#/components/schemas/ProvisioningStatusInfo' - type: object nullable: true description: Details of provisioning status. provisioningSteps: type: array items: $ref: '#/components/schemas/ProvisioningStep' description: Details of each step in provisioning. servicePrincipal: anyOf: - $ref: '#/components/schemas/ProvisioningServicePrincipal' - type: object nullable: true description: Represents the service principal used for provisioning. Supports $filter (eq) for id and name. sourceIdentity: anyOf: - $ref: '#/components/schemas/ProvisionedIdentity' - type: object nullable: true description: Details of source object being provisioned. Supports $filter (eq, contains) for identityType, id, and displayName. sourceSystem: anyOf: - $ref: '#/components/schemas/ProvisioningSystem' - type: object nullable: true description: Details of source system of the object being provisioned. Supports $filter (eq, contains) for displayName. targetIdentity: anyOf: - $ref: '#/components/schemas/ProvisionedIdentity' - type: object nullable: true description: Details of target object being provisioned. Supports $filter (eq, contains) for identityType, id, and displayName. targetSystem: anyOf: - $ref: '#/components/schemas/ProvisioningSystem' - type: object nullable: true description: Details of target system of the object being provisioned. Supports $filter (eq, contains) for displayName. tenantId: type: string description: Unique Microsoft Entra tenant ID. Supports $filter (eq, contains). nullable: true '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.provisioningObjectSummary' SignIn: allOf: - $ref: '#/components/schemas/Entity' - title: signIn required: - '@odata.type' type: object properties: appDisplayName: type: string description: App name displayed in the Microsoft Entra admin center. Supports $filter (eq, startsWith). nullable: true appId: type: string description: Unique GUID that represents the app ID in the Microsoft Entra ID. Supports $filter (eq). nullable: true appliedConditionalAccessPolicies: type: array items: $ref: '#/components/schemas/AppliedConditionalAccessPolicy' description: Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins. clientAppUsed: type: string description: Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq). nullable: true conditionalAccessStatus: anyOf: - $ref: '#/components/schemas/ConditionalAccessStatus' - type: object nullable: true description: 'Reports status of an activated conditional access policy. The possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq).' correlationId: type: string description: The request ID sent from the client when the sign-in is initiated. Used to troubleshoot sign-in activity. Supports $filter (eq). nullable: true createdDateTime: pattern: ^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$ type: string description: 'Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby, $filter (eq, le, and ge).' format: date-time deviceDetail: anyOf: - $ref: '#/components/schemas/DeviceDetail' - type: object nullable: true description: Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq, startsWith) on browser and operatingSytem properties. ipAddress: type: string description: IP address of the client used to sign in. Supports $filter (eq, startsWith). nullable: true isInteractive: type: boolean description: Indicates whether a sign-in is interactive. nullable: true location: anyOf: - $ref: '#/components/schemas/SignInLocation' - type: object nullable: true description: Provides the city, state, and country code where the sign-in originated. Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties. resourceDisplayName: type: string description: Name of the resource the user signed into. Supports $filter (eq). nullable: true resourceId: type: string description: ID of the resource that the user signed into. Supports $filter (eq). nullable: true riskDetail: anyOf: - $ref: '#/components/schemas/RiskDetail' - type: object nullable: true description: 'The reason behind a specific state of a risky user, sign-in, or a risk event. The value none means that Microsoft Entra risk detection did not flag the user or the sign-in as a risky event so far. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.' riskEventTypes: type: array items: anyOf: - $ref: '#/components/schemas/RiskEventType' - type: object nullable: true riskEventTypes_v2: type: array items: type: string nullable: true description: 'The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq, startsWith).' riskLevelAggregated: anyOf: - $ref: '#/components/schemas/RiskLevel' - type: object nullable: true description: 'Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn''t enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.' riskLevelDuringSignIn: anyOf: - $ref: '#/components/schemas/RiskLevel' - type: object nullable: true description: 'Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn''t enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.' riskState: anyOf: - $ref: '#/components/schemas/RiskState' - type: object nullable: true description: 'Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq).' status: anyOf: - $ref: '#/components/schemas/SignInStatus' - type: object nullable: true description: Sign-in status. Includes the error code and description of the error (if a sign-in failure occurs). Supports $filter (eq) on errorCode property. userDisplayName: type: string description: Display name of the user that initiated the sign-in. Supports $filter (eq, startsWith). nullable: true userId: type: string description: ID of the user that initiated the sign-in. Supports $filter (eq). userPrincipalName: type: string description: 'User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain #EXT# before the domain part, this property stores the value in both lowercase and the ''true'' format. For example, while the user object stores AdeleVance_fabrikam.com#EXT#@contoso.com, the sign-in logs store adelevance@fabrikam.com. Supports $filter (eq, startsWith).' nullable: true '@odata.type': type: string x-ms-discriminator-value: '#microsoft.graph.signIn' Entity: title: Entity type: object properties: id: type: string description: The unique identifier for the entity. ODataError: title: ODataError type: object required: - error properties: error: $ref: '#/components/schemas/MainError' MainError: title: MainError type: object required: - code - message properties: code: type: string description: Error code message: type: string description: Error message target: type: string description: Target of the error nullable: true details: type: array items: $ref: '#/components/schemas/ErrorDetail' innerError: $ref: '#/components/schemas/InnerError' ErrorDetail: title: ErrorDetail type: object required: - code - message properties: code: type: string message: type: string target: type: string nullable: true InnerError: title: InnerError type: object properties: request-id: type: string date: type: string format: date-time client-request-id: type: string ODataCountResponse: title: ODataCountResponse type: integer format: int32 description: The count of entities parameters: Top: name: $top in: query description: Show only the first n items style: form explode: false schema: minimum: 0 type: integer example: 50 Skip: name: $skip in: query description: Skip the first n items style: form explode: false schema: minimum: 0 type: integer Search: name: $search in: query description: Search items by search phrases style: form explode: false schema: type: string Filter: name: $filter in: query description: Filter items by property values style: form explode: false schema: type: string Count: name: $count in: query description: Include count of items style: form explode: false schema: type: boolean examples: AuditLogRootExample: value: id: 00000000-0000-0000-0000-000000000001 directoryAudits: - '@odata.type': '#microsoft.graph.directoryaudit' provisioning: - '@odata.type': '#microsoft.graph.provisioningobjectsummary' signIns: - '@odata.type': '#microsoft.graph.signin' '@odata.type': '#microsoft.graph.auditlogroot' AuditLogRootRequestExample: value: id: 00000000-0000-0000-0000-000000000001 directoryAudits: - '@odata.type': '#microsoft.graph.directoryaudit' provisioning: - '@odata.type': '#microsoft.graph.provisioningobjectsummary' signIns: - '@odata.type': '#microsoft.graph.signin' '@odata.type': '#microsoft.graph.auditlogroot' DirectoryAuditExample: value: id: 00000000-0000-0000-0000-000000000001 activityDateTime: '2024-01-15T10:30:00Z' activityDisplayName: Example Display Name additionalDetails: - {} category: string-value correlationId: 00000000-0000-0000-0000-000000000001 initiatedBy: {} '@odata.type': '#microsoft.graph.directoryaudit' DirectoryAuditRequestExample: value: id: 00000000-0000-0000-0000-000000000001 activityDateTime: '2024-01-15T10:30:00Z' activityDisplayName: Example Display Name additionalDetails: - {} category: string-value correlationId: 00000000-0000-0000-0000-000000000001 initiatedBy: {} '@odata.type': '#microsoft.graph.directoryaudit' ODataCountResponseExample: value: 42 ODataErrorExample: value: error: code: BadRequest message: The request is invalid. target: /resource details: - code: InvalidParameter message: Parameter value is invalid. target: parameterName innerError: request-id: 00000000-0000-0000-0000-000000000001 date: '2024-01-15T10:30:00Z' client-request-id: 00000000-0000-0000-0000-000000000002 ProvisioningObjectSummaryExample: value: id: 00000000-0000-0000-0000-000000000001 activityDateTime: '2024-01-15T10:30:00Z' changeId: 00000000-0000-0000-0000-000000000001 cycleId: 00000000-0000-0000-0000-000000000001 durationInMilliseconds: 0.0 initiatedBy: {} jobId: 00000000-0000-0000-0000-000000000001 '@odata.type': '#microsoft.graph.provisioningobjectsummary' ProvisioningObjectSummaryRequestExample: value: id: 00000000-0000-0000-0000-000000000001 activityDateTime: '2024-01-15T10:30:00Z' changeId: 00000000-0000-0000-0000-000000000001 cycleId: 00000000-0000-0000-0000-000000000001 durationInMilliseconds: 0.0 initiatedBy: {} jobId: 00000000-0000-0000-0000-000000000001 '@odata.type': '#microsoft.graph.provisioningobjectsummary' SignInExample: value: id: 00000000-0000-0000-0000-000000000001 appDisplayName: Example Display Name appId: 00000000-0000-0000-0000-000000000001 appliedConditionalAccessPolicies: - {} clientAppUsed: string-value conditionalAccessStatus: {} correlationId: 00000000-0000-0000-0000-000000000001 '@odata.type': '#microsoft.graph.signin' SignInRequestExample: value: id: 00000000-0000-0000-0000-000000000001 appDisplayName: Example Display Name appId: 00000000-0000-0000-0000-000000000001 appliedConditionalAccessPolicies: - {} clientAppUsed: string-value conditionalAccessStatus: {} correlationId: 00000000-0000-0000-0000-000000000001 '@odata.type': '#microsoft.graph.signin' confirmCompromisedAuditLogsSignInsRequestExample: value: requestIds: - 00000000-0000-0000-0000-000000000001 confirmSafeAuditLogsSignInsRequestExample: value: requestIds: - 00000000-0000-0000-0000-000000000001 dismissAuditLogsSignInsRequestExample: value: requestIds: - 00000000-0000-0000-0000-000000000001 responses: error: description: error content: application/json: schema: $ref: '#/components/schemas/ODataError' examples: ODataErrorExample: $ref: '#/components/examples/ODataErrorExample' ODataCountResponse: description: The count of the resource content: text/plain: schema: $ref: '#/components/schemas/ODataCountResponse' examples: ODataCountResponseExample: $ref: '#/components/examples/ODataCountResponseExample' SignInCollectionResponse: description: Retrieved collection content: application/json: schema: $ref: '#/components/schemas/SignInCollectionResponse'