How to analyze activity logs with Microsoft Graph
The Microsoft Entra reporting APIs provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools.
This article describes how to analyze Microsoft Entra activity logs with Microsoft Graph PowerShell.
Prerequisites
- For license and role requirements, see Microsoft Entra monitoring and health licensing.
- To consent to the required permissions, you need the Privileged Role Administrator.
Access reports using Microsoft Graph PowerShell
You can use PowerShell to access the Microsoft Entra reporting API. For more information, see Microsoft Graph PowerShell overview.
Microsoft Graph PowerShell cmdlets:
- Audit logs:
Get-MgAuditLogDirectoryAudit
- Sign-in logs:
Get-MgAuditLogSignIn
- Explore the full list of reporting-related Microsoft Graph PowerShell cmdlets.
Common errors
Error: Neither tenant is B2C or tenant doesn't have premium license: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.
Error: User isn't in the allowed roles: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the Security Reader or Reports Reader role in your Microsoft Entra tenant.
Error: Application missing Microsoft Entra ID 'Read directory data' or 'Read all audit log data' permission: The application must have either the AuditLog.Read.All
or Directory.Read.All
permission to access the activity logs with Microsoft Graph.