Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Graph Policy Logs provide details of resource policy evaluations from Microsoft Graph, including whether policies were applied, denied, or audited for API requests.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Audit, Security |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AadTenantId | string | The Microsoft Entra tenant ID of the organization owning the resource. |
| ApiVersion | string | The Microsoft Graph API version used for the request: v1.0 or beta. |
| AppId | string | The application (client) ID of the Microsoft Entra app registration making the request. |
| ApplicablePoliciesCount | int | Number of policy assignments that were applicable to this specific request. Compare with PolicyDetailsCount (total matching assignments) to understand policy coverage. |
| AuditPoliciesCount | int | Number of applicable policy assignments that triggered an audit effect. |
| _BilledSize | real | The record size in bytes |
| ClientRequestId | string | The optional client-provided correlation ID from the client-request-id header. |
| DenyPoliciesCount | int | Number of applicable policy assignments that triggered a deny effect. |
| ErrorPoliciesCount | int | Number of policy assignments that encountered an error during evaluation, applicability check, or policy loading. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Location | string | The Azure data center region that served the request (e.g., chinanorth2, chinaeast2). |
| OperationId | string | Correlation ID for the parent operation. For non-batch requests, equals RequestId. For $batch children, all share the parent request ID. Aligns with ActivityEvent OperationId. |
| PolicyDecision | string | High-level outcome of policy evaluation: deny (blocked), audit (non-compliant but allowed - what-if/dry-run), or compliant (no violations or no applicable policies). |
| PolicyDetails | dynamic | Full array of individual policy evaluation results, sorted by effect priority (deny first, then audit, then compliant). Each entry includes assignmentUniqueName, assignedPolicyDisplayName, appliedPolicyEffects, evaluationError, policyVersion, isCompliant, and isApplicable. May be truncated if the serialized array exceeds 16 KB. |
| PolicyDetailsCount | int | Total number of policy assignments evaluated. This reflects the original count before any truncation of PolicyDetails. |
| RequestId | string | Unique identifier for this request. For $batch child requests, each child gets a unique ID. Aligns with ActivityEvent RequestId. |
| RequestMethod | string | The HTTP method of the request: GET, POST, PATCH, or DELETE. |
| RequestUri | string | The full Microsoft Graph request URI including path and query parameters. |
| ServicePrincipalId | string | The object ID of the service principal for app-only calls. Empty for delegated calls. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TargetResourceId | string | The identifier of the target resource extracted from the request URI key segment. A single value for primary keys (e.g., a GUID), or comma-separated key=value pairs for alternate or compound keys. |
| TargetResourceName | string | Resource type short name for CRUD (e.g., user, application); bound action as bindingType/action (e.g., application/addKey). Presence of '/' distinguishes actions from resources. |
| TenantId | string | The Log Analytics workspace ID |
| TenantRegionScope | string | The region scope of the tenant (e.g., NA, EU, AS, AF, OC). |
| TimeGenerated | datetime | The date and time (UTC) when the policy evaluation occurred. |
| TotalPolicyEvaluationDurationMs | real | Total time in milliseconds spent evaluating all applicable policies for this request, including applicability checks and effect evaluations. |
| Type | string | The name of the table |
| UserId | string | The object ID of the user for delegated (user + app) calls. Empty for app-only calls. |