View activity logs for application permissions

Microsoft Entra is a platform that allows you to create and manage applications for your organization. You can grant different permissions to your applications, such as accessing data, or performing actions. However, you might want to review the permissions that are granted to your applications from time to time, to ensure that they're appropriate and secure.

One way to review permissions granted to your apps is by using activity logs, which record the activities and events that occur in your Microsoft Entra applications. Activity logs help you to monitor the usage and performance of your applications, and to identify any potential issues or risks. By reviewing the activity logs, you can see what permissions your applications have and whether they're complying with your policies and expectations.

In this article, you:

• View activity logs to see API permission granting and removing activity for a specific application.
• View activity logs to see API permission granting and removing activity for all applications.
• Understand which audit logs are used to track granting and removing API permissions from app to app.

To view Activity Logs for applications, you need:

• A user account. If you don't already have one, you can create an account.
• One of the following roles: Reports Reader, Security Reader, Security Administrator, Global Reader

Only certain events recorded in the Activity Logs are needed to see application permission activity. To view all events using the Microsoft Entra admin center, Take the following steps:

1. Sign in to the Microsoft Entra admin center with at least a Reports reader role

2. Browse to Identity > Applications > Enterprise applications.

3. In the left-hand navigation underneath Activity, browse to Audit logs.

4. Filter the audit logs by using the information included in the Audit logs section to select only the needed logs to view permission activity for your applications.

5. Use Manage view on the top command bar to edit the columns shown. Select the Date column to view more detailed information per audit log.

It can be helpful to deep dive into the activity of a resource application to see which applications already have access through API permissions. For example, you might want to monitor the activity logs for the Microsoft Graph application, so you can see when permissions are granted for the resources it protects.

To view the activity logs for a resource application:

1. Sign in to the Microsoft Entra admin center with at least a Reports reader role

2. Browse to Identity > Applications > Enterprise applications.

3. Search for the resource application that owns the permission. For example, if you want to view which applications were awarded the Microsoft Graph Mail.Read permission in the last 30 days, search for Microsoft Graph.

4. In the left-hand navigation underneath Activity, browse to Audit logs.

5. Filter the audit logs by using the information included in the Audit logs section to select only the needed logs to view permission activity for your applications.

6. Use Manage view on the top command bar to edit the columns shown. Select the Date column to view more detailed information per audit log.

The following table outlines the scenarios and audit values available for the granting and revoking of permissions granted to apps.

• How to access Activity Logs through Microsoft Graph and PowerShell
• Microsoft Entra audit log categories and activities