openapi: 3.0.3 info: title: Microsoft Office Integration Microsoft Office 365 Management Activity API description: >- The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise. The API relies on Microsoft Entra ID and the OAuth2 protocol for authentication and authorization. version: 1.0.0 contact: name: Microsoft url: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference servers: - url: https://manage.office.com/api/v1.0/{tenantId}/activity/feed description: Enterprise plan variables: tenantId: description: The GUID of the tenant default: '{tenant_id}' - url: https://manage-gcc.office.com/api/v1.0/{tenantId}/activity/feed description: GCC government plan variables: tenantId: description: The GUID of the tenant default: '{tenant_id}' - url: https://manage.office365.us/api/v1.0/{tenantId}/activity/feed description: GCC High government plan variables: tenantId: description: The GUID of the tenant default: '{tenant_id}' - url: https://manage.protection.apps.mil/api/v1.0/{tenantId}/activity/feed description: DoD government plan variables: tenantId: description: The GUID of the tenant default: '{tenant_id}' security: - bearerAuth: [] paths: /subscriptions/start: post: operationId: startSubscription summary: Microsoft Office Integration Start a subscription description: >- Starts a subscription to the specified content type. If a subscription already exists, this operation can update webhook properties, enable a disabled webhook, re-enable an expired webhook, or remove a webhook. parameters: - name: contentType in: query required: true description: Must be a valid content type. schema: type: string enum: - Audit.AzureActiveDirectory - Audit.Exchange - Audit.SharePoint - Audit.General - DLP.All - name: PublisherIdentifier in: query required: false description: >- The tenant GUID of the vendor coding against the API. Used for throttling the request rate. schema: type: string format: uuid requestBody: required: false content: application/json: schema: type: object properties: webhook: $ref: '#/components/schemas/WebhookRequest' responses: '200': description: Subscription started or updated successfully. content: application/json: schema: $ref: '#/components/schemas/Subscription' tags: - Subscriptions /subscriptions/stop: post: operationId: stopSubscription summary: Microsoft Office Integration Stop a subscription description: Stops a subscription to the specified content type. parameters: - name: contentType in: query required: true schema: type: string enum: - Audit.AzureActiveDirectory - Audit.Exchange - Audit.SharePoint - Audit.General - DLP.All - name: PublisherIdentifier in: query required: false schema: type: string format: uuid responses: '200': description: Subscription stopped successfully. tags: - Subscriptions /subscriptions/list: get: operationId: listSubscriptions summary: Microsoft Office Integration List current subscriptions description: Returns a collection of the current subscriptions together with associated webhooks. parameters: - name: PublisherIdentifier in: query required: false schema: type: string format: uuid responses: '200': description: List of current subscriptions. content: application/json: schema: type: array items: $ref: '#/components/schemas/Subscription' tags: - Subscriptions /subscriptions/content: get: operationId: listAvailableContent summary: Microsoft Office Integration List available content description: >- Lists the content currently available for retrieval for the specified content type. Content is an aggregation of actions and events harvested from multiple servers across multiple datacenters. parameters: - name: contentType in: query required: true schema: type: string enum: - Audit.AzureActiveDirectory - Audit.Exchange - Audit.SharePoint - Audit.General - DLP.All - name: PublisherIdentifier in: query required: false schema: type: string format: uuid - name: startTime in: query required: false description: >- Start of the time range (UTC). Must be specified together with endTime and no more than 24 hours apart. schema: type: string format: date-time - name: endTime in: query required: false description: >- End of the time range (UTC). Must be specified together with startTime and no more than 24 hours apart. schema: type: string format: date-time responses: '200': description: List of available content blobs. headers: NextPageUri: description: URL to retrieve the next page of results if results are truncated. schema: type: string format: uri content: application/json: schema: type: array items: $ref: '#/components/schemas/ContentBlob' tags: - Subscriptions /subscriptions/notifications: get: operationId: listNotifications summary: Microsoft Office Integration List notifications description: >- Lists all notification attempts for the specified content type. Can return multiple notifications for the same content due to retries. parameters: - name: contentType in: query required: true schema: type: string enum: - Audit.AzureActiveDirectory - Audit.Exchange - Audit.SharePoint - Audit.General - DLP.All - name: PublisherIdentifier in: query required: false schema: type: string format: uuid - name: startTime in: query required: false schema: type: string format: date-time - name: endTime in: query required: false schema: type: string format: date-time responses: '200': description: List of notifications. headers: NextPageUri: description: URL to retrieve the next page of results. schema: type: string format: uri content: application/json: schema: type: array items: $ref: '#/components/schemas/Notification' tags: - Subscriptions /resources/dlpSensitiveTypes: get: operationId: listDlpSensitiveTypes summary: Microsoft Office Integration Retrieve resource friendly names description: >- Retrieves friendly names for objects in the data feed identified by GUIDs. Currently only DlpSensitiveType is supported. parameters: - name: PublisherIdentifier in: query required: false schema: type: string format: uuid - name: Accept-Language in: header required: false description: Language code for localized names (e.g. en-US, es). schema: type: string responses: '200': description: List of DLP sensitive type friendly names. content: application/json: schema: type: array items: $ref: '#/components/schemas/DlpSensitiveType' tags: - Resources components: securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: OAuth2 JWT access token obtained from Microsoft Entra ID with ActivityFeed.Read claim. schemas: WebhookRequest: type: object properties: address: type: string format: uri description: Required HTTPS endpoint that can receive notifications. authId: type: string description: Optional string included as Webhook-AuthID header in notifications. expiration: type: string format: date-time description: Optional datetime after which notifications should no longer be sent. WebhookStatus: type: object properties: status: type: string enum: - enabled - disabled - expired address: type: string format: uri authId: type: string expiration: type: string format: date-time nullable: true Subscription: type: object properties: contentType: type: string status: type: string enum: - enabled - disabled webhook: $ref: '#/components/schemas/WebhookStatus' ContentBlob: type: object properties: contentType: type: string contentId: type: string description: Opaque string that uniquely identifies the content. contentUri: type: string format: uri description: URL to use when retrieving the content. contentCreated: type: string format: date-time contentExpiration: type: string format: date-time Notification: type: object properties: contentType: type: string contentId: type: string contentUri: type: string format: uri contentCreated: type: string format: date-time contentExpiration: type: string format: date-time notificationSent: type: string format: date-time notificationStatus: type: string DlpSensitiveType: type: object properties: id: type: string format: uuid description: GUID of the sensitive information type. name: type: string description: Friendly name of the sensitive information type. ActivityRecord: type: object description: A single audit activity record returned when retrieving content. properties: CreationTime: type: string format: date-time Id: type: string format: uuid Operation: type: string OrganizationId: type: string format: uuid RecordType: type: integer ResultStatus: type: string UserKey: type: string UserType: type: integer Workload: type: string ClientIP: type: string ObjectId: type: string UserId: type: string Error: type: object properties: error: type: object properties: code: type: string message: type: string tags: - name: Resources - name: Subscriptions