Office 365 Management Activity API
Hi All,
In my previous Article Query M365 Audit Log i have compared Search-UnifiedAuditLog with the Preview Microsoft.Graph API.
I did not cover the Management Activity API - i will cover that now in this Article.
More Information:
- Office 365 Management Activity API reference
- Microsoft 365 Compliance audit log activities via O365 Management API - Part 1
- Microsoft 365 Compliance audit log activities via O365 Management API - Part 2
Entra App
I’ve created an Entra Application. You need to note down:
- AppID
- TenantID
I’ve uploaded a Certificate and created a Client Secret
Added the following Permission “API0s my organization uses” > “Office 365 Management APIs”
Added the Permissions
- ActivityFeed.Read
- ActivityFeed.ReadDlp
And finally addet Microsoft Graph and “Granted admin consent”
- AuditLog.Read.All
Test Script
I found the following Test Script
You need to modify the following Settings in the Script
Unblock the Script
Now Run the Script
.\Compliance-API.ps
The Result are the following JSON Files in the OutputPath
Audit.AzureActiveDirectory
Let’s have a look at the Audit.AzureActiveDirectory JSON File
$EntraID = Get-Content -Path C:\Temp\APILogs\Audit.AzureActiveDirectory_07-16-2024_10-05-42.json -Raw | ConvertFrom-Json
$EntraID[0]
Audit.Exchange
Let’s have a look at the Audit.Exchange JSON File
$EXO = Get-Content -Path C:\Temp\APILogs\Audit.Exchange_07-16-2024_10-05-42.json -Raw | ConvertFrom-Json
$EXO[7]
Audit.General
Let’s have a look at the Audit.General JSON File
$General = Get-Content -Path C:\Temp\APILogs\Audit.General_07-16-2024_10-05-42.json -Raw | ConvertFrom-Json
$General[0]
Audit.SharePoint
Let’s have a look at the Audit.SharePoint JSON File
$SPO = Get-Content -Path C:\Temp\APILogs\Audit.SharePoint_07-16-2024_10-05-42.json -Raw | ConvertFrom-Json
$SPO[0]
Splunk Add-on for Microsoft Office 365
There even exist a Splunk Add-on that uses this API
I find the Splunk Documentation is quite good
Regards
Andres Bohren
PowerShell Logo
Security Logo
