Forum Discussion

underQualifried's avatar
underQualifried
Iron Contributor
Jul 14, 2026

Missing activity names from Audit Log documentation

We all know that the documentation team is A-tier and amazing at what they do and isn't just copy and pasting marketing materials. But I've noticed that some really obscure functionalities like 'user registered a device' or 'user joined a device' or about half the other things a user can do, are not documented on this list of activity names. The ironically named 'friendly' list doesn't work. So I actually can't audit the unfamiliar devices under our tenants? 

It appears that this KB is actually locked down, so more can't be added when they are discovered. 

How are we supposed to use the tool Microsoft has forced everyone towards, when the Documentation team is too bad to document anything, so they outsource it to the community (Microsoft victims), but then they lock down contributions (presumably, because they have some metric that keeps them from being useful - atleast based on my interactions with them). 

Documentation seems to be a massive fail on Microsoft's part. How did it get this way? Is there a reliable way of finding the activity name - one that ISN'T some preview Graph endpoint that I can't teach my techs to use, because I'm not teaching my techs to program? 

1 Reply

  • Hello underQ,

    I agree that this can be frustrating, especially when you're trying to build reliable monitoring or automation around audit events. One approach I've found helpful is to generate the activity yourself in a test tenant and immediately query the Microsoft Purview Audit logs or Microsoft Graph Audit Logs API to capture the exact Operation value. While it's not ideal, it's often the quickest way to validate undocumented or newly introduced activities. Another option is to stream audit logs into Microsoft Sentinel, Log Analytics, or a SIEM and maintain an internal lookup of observed operation names. In larger environments, that tends to become more reliable than relying solely on the published documentation, especially since new workloads and audit events are introduced regularly.

    I do agree it would be beneficial if Microsoft maintained a more comprehensive and continuously updated catalog of audit activity names, particularly for organizations that depend on these values for compliance reporting, alerting, and automation.