SOLVED

Access Office 365 Audit Logs

%3CLINGO-SUB%20id%3D%22lingo-sub-986263%22%20slang%3D%22en-US%22%3EAccess%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-986263%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20written%20a%20Powershell%20script%20to%20retrieve%20Audit%20Logs%20for%20Power%20BI%2C%20and%20store%20in%20SQL%20for%20analysis.%20The%20script%20works%20fine%20with%20interaction%20(i.e.%20login%20with%20username%2Fpassword)%20but%20requires%20MFA.%20I%20cannot%20disable%20MFA%20for%20specific%20users%2C%20as%20we%20don't%20have%20AAD%20P2%20or%20Office%20365%20E5%2C%20so%20I%20thought%20I%20could%20use%20an%20app%20password.%20It%20seems%20that%20this%20won't%20work%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20access%20the%20Audit%20Log%20data%2C%20programmatically%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-986263%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-989673%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-989673%22%20slang%3D%22en-US%22%3E%3CP%3EUse%20the%20Management%20activity%20API%2C%20with%20a%20service%20principal%20or%20a%20client%20secret%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-989928%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-989928%22%20slang%3D%22en-US%22%3EI%20did%20start%20down%20that%20path%2C%20but%20I%20couldn%E2%80%99t%20work%20out%20how%20the%20authentication%20works%20with%20the%20API.%20Perhaps%20you%20could%20help%20me%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20created%20an%20App%20Registration%20in%20Azure%2C%20but%20I%20cannot%20work%20out%20how%20to%20get%20an%20OAuth%20token%20to%20access%20this%20particular%20endpoint.%20I%20get%20various%20errors.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-990728%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990728%22%20slang%3D%22en-US%22%3EI%20was%20on%20the%20same%20boat%2C%20then%20thought....%20I%20should%20google%20(i%20mean%20BING!)%20'How%20to%20test%20Graph%20API%20with%20Postman'.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20article%20walked%20me%20through%20how%20to%20set%20up%20the%20authentication%20process%2C%20you%20can%20even%20generate%20the%20code%20out%20of%20Postman.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Faaddevsup%2F2018%2F05%2F21%2Fusing-postman-to-call-the-microsoft-graph-api-using-client-credentials%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Faaddevsup%2F2018%2F05%2F21%2Fusing-postman-to-call-the-microsoft-graph-api-using-client-credentials%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-990839%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990839%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F328428%22%20target%3D%22_blank%22%3E%40jerome317%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20I%20have%20actually%20already%20followed%20that%20article%2C%20and%20couldn't%20get%20it%20to%20work%2C%20but%20now%20I've%20just%20done%20it%20again%2C%20and%20it%20seems%20to%20work!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20need%20to%20access%20the%20Power%20BI%20API%2C%20but%20I%20cannot%20seem%20to%20get%20that%20to%20work%20either.%20Do%20you%20have%20any%20experience%20around%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992250%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Office%20365%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992250%22%20slang%3D%22en-US%22%3EI%20also%20need%20to%20access%20the%20Power%20BI%20API%2C%20but%20I%20cannot%20seem%20to%20get%20that%20to%20work%20either.%20Do%20you%20have%20any%20experience%20around%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3ESadly%20haven't%20done%20anything%20yet%20with%20PowerBI.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have written a Powershell script to retrieve Audit Logs for Power BI, and store in SQL for analysis. The script works fine with interaction (i.e. login with username/password) but requires MFA. I cannot disable MFA for specific users, as we don't have AAD P2 or Office 365 E5, so I thought I could use an app password. It seems that this won't work either.

 

How do I access the Audit Log data, programmatically?

5 Replies
Highlighted

Use the Management activity API, with a service principal or a client secret: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...

Highlighted
I did start down that path, but I couldn’t work out how the authentication works with the API. Perhaps you could help me?

I have created an App Registration in Azure, but I cannot work out how to get an OAuth token to access this particular endpoint. I get various errors.
Highlighted
Solution
I was on the same boat, then thought.... I should google (i mean BING!) 'How to test Graph API with Postman'.

This article walked me through how to set up the authentication process, you can even generate the code out of Postman.

https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/using-postman-to-call-the-microsoft-graph-api-...
Highlighted

@jerome317 

Thanks. I have actually already followed that article, and couldn't get it to work, but now I've just done it again, and it seems to work!

 

I also need to access the Power BI API, but I cannot seem to get that to work either. Do you have any experience around this?

 

Thanks

Highlighted
I also need to access the Power BI API, but I cannot seem to get that to work either. Do you have any experience around this?

Sadly haven't done anything yet with PowerBI.