How to analyze activity logs with Microsoft Graph

The Microsoft Entra reporting APIs provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools.

This article describes how to analyze Microsoft Entra activity logs with Microsoft Graph PowerShell.

Prerequisites

  • A working Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 license associated with it.
  • To consent to the required permissions, you need the Privileged Role Administrator.

Access reports using Microsoft Graph PowerShell

You can use PowerShell to access the Microsoft Entra reporting API. For more information, see Microsoft Graph PowerShell overview.

Microsoft Graph PowerShell cmdlets:

Common errors

Error: Neither tenant is B2C or tenant doesn't have premium license: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.

Error: User isn't in the allowed roles: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the Security Reader or Reports Reader role in your Microsoft Entra tenant.

Error: Application missing Microsoft Entra ID 'Read directory data' or 'Read all audit log data' permission: The application must have either the AuditLog.Read.All or Directory.Read.All permission to access the activity logs with Microsoft Graph.