How to log calls to Graph API or Office 365 Management API

Question

I've been tasked with finding a solution for logging calls to Graph API on a specific AAD tenant. From what I've read, this isn't possible https://learn.microsoft.com/en-us/answers/questions/106246/logging-microsoft-graph-api-calls-from-an-applicat

The specific requirement is to log calls that search email messages in Exchange. I found that messages can also be searched via public API by using the Office 365 Management API (https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference). I couldn't find information regarding whether calls to the O365 Mangement API are logged.

Logging can (of course) happen before the call is sent to the public API, but this is not an acceptable solution in this case.

An example report would look like:

datetime            | user                      | Graph API url called
10/02/2023 15:20:32 | someone@somewhere.com     | GET https://graph.microsoft.com/beta/me/messages?$search="subject:something"
10/02/2023 15:20:35 | someoneelse@somewhere.com | GET https://graph.microsoft.com/beta/me/messages?$search="subject:something else"

I'm inclined to think this isn't possible, but I'll be glad if anyone can prove me wrong.

Any ideas?

Answer 1

I tried to reproduce the same in my environment and got the results as below:

Note that: It is not possible for logging calls to Graph API on a specific AAD tenant.

You can access Azure AD logs audit logs via Graph API like below:

GET https://graph.microsoft.com/beta/auditLogs/signIns

• Any Azure AD Activities from Graph API, it will be recorded in audit logs.
• Any Exchange Activities will be recorded in Exchange Online audit logs.
• Hence, it is not possible to enable auditing for all Graph API activity in one place.

Reference:

Logging Microsoft Graph Api calls from an Application by AmanpreetSingh-MSFT