CODEWITHSUNDEEP
office365
P.Pratyush Reddy
P.Pratyush Reddy

Reputation: 1

Office 365 Management Activity API - Query using User ID or File ID

I am trying to fetch Office 365 audit logs from the Management Activity API. I am able to fetch the data from the subscriptions/content API after creating a subscription for the required content type.

Example:-

Query: https://manage.office.com/api/v1.0/{tenant-id}/activity/feed/audit/xxxxx$xxxxx$audit_sharepoint$Audit_SharePoint

Response:

[
  {
        "CreationTime": "2018-10-08T10:13:15",
        "Id": "xxxxx",
        "Operation": "FileDownloaded",
        "OrganizationId": "xxxxx",
        "RecordType": 6,
        "UserKey": "xxx|membership|[email protected]",
        "UserType": 0,
        "Version": 1,
        "Workload": "OneDrive",
        "ClientIP": "xx.xx.xx.xx",
        "ObjectId": "xxxxxxx",
        "UserId": "xxxxxx",
        "ApplicationId": "xxxxxx",
        "CorrelationId": "xxxxxx",
        "EventSource": "SharePoint",
        "ItemType": "File",
        "ListId": "xxxxx",
        "ListItemUniqueId": "xxxxx",
        "Site": "xxxxx",
        "UserAgent": "xxxxx",
        "WebId": "xxxxx",
        "SourceFileExtension": "jpg",
        "SiteUrl": "xxxxx",
        "SourceFileName": "xxxxx.jpg",
        "SourceRelativeUrl": "xxxxx/xxxxx/xxxxx"
   },
   {..},{..}
]

I need to get the logs for actions taken by a particular user or actions taken on a particular file. This is possible through the Audit search in Security and compliance center of MSGraph.

Is there a way through which the API filters its response based on UserId or ObjectId fields(a query parameter perhaps)?

Upvotes: 0

Views: 1586

Answers (2)

SAG786
SAG786

Reputation: 11

Unfortunately, the filtering by object ID is not supported yet by office management API. This has been documented here - https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api

Please read "Can I query the Management Activity API" query in above documentation.

Upvotes: 0

Vadim Gremyachev
Vadim Gremyachev

Reputation: 59358

Unfortunately filtering by AuditRecord (content blob) UserId or ObjectId property is not supported via Office 365 Management Activity API endpoint, only the following parameters are supported:

  • contentType
  • startTime and endTime

The workaround would to be to filter results on the client side as demonstrated below:

Example

const requestUrl = `https://manage.office.com/api/v1.0/${tenantId}/activity/feed/audit/${contentId}$audit_sharepoint$Audit_SharePoint`;
const options = {
   method: 'GET',
   headers: {
      "Content-Type": "application/json; charset=utf-8",
      "Authorization": "bearer " + accessToken
   }
};

const rawResponse = await fetch(requestUrl,options);
const blobs = await rawResponse.json(); //get all blobs

const blobsByUser = blobs.filter(blob => {
    return blob.UserId === "[email protected]";
})

Upvotes: 1

Related Questions