Is it possible to query Office 365 Enterprise Audit Logs programmatically using Microsoft Graph?

Question

Is there a way to query Office 365 Enterprise Audit Logs programmatically using Microsoft Graph / Client. It is possible to manually query them in O365 Security & Compliance Center Page. https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c

I am specifically interested in audit logs that contains file uploaded to OneDrive, or file opened /modified events from users within the tenant.

Answer 1

Yes, it is possible to retrieve O365 activity logs from Microsoft Purview using Microsoft Graph :

• Create query (asynchronous) :https://learn.microsoft.com/en-us/graph/api/security-auditcoreroot-post-auditlogqueries?view=graph-rest-beta&tabs=http
• Get query status : https://learn.microsoft.com/en-us/graph/api/security-auditlogquery-get?view=graph-rest-beta&tabs=http
• Download log records : https://learn.microsoft.com/en-us/graph/api/security-auditlogquery-list-records?view=graph-rest-beta&tabs=http

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

Answer 2

Check Office 365 Management Activity API

The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, these content types are supported:

Audit.AzureActiveDirectory

Audit.Exchange

Audit.SharePoint

Audit.General (includes all other workloads not included in the previous content types)

DLP.All (DLP events only for all workloads)