Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is Microsoft's cloud-based identity and access management (IAM) solution. It enables organizations to securely manage user identities and control access to applications, devices, and data across both cloud and on-premises environments.
Entra allows users to access multiple applications with one set of credentials, enhancing user experience and reducing password fatigue. Uisng MFA adds an extra layer of security by requiring additional verification methods beyond just a password. It also enables organizations to enforce access controls based on user location, device state, or risk level, ensuring that only authorized users can access sensitive resources.
Extra features provide risk-based conditional access and detects potential vulnerabilities affecting user identities. It's important to motice that featues available depend on the active license.
The following are endpoints in the Microsoft Graph REST API related to auditing and monitoring activities in Microsoft Entra ID.
Report type
Query
Directory audits
auditLogs/directoryaudits
Sign-ins
auditLogs/signIns
Provisioning
auditLogs/provisioning
These endpoints allow administrators and developers to monitor and audit activities within Microsoft Entra ID for security, compliance, and operational purposes.
Directory Audits – These logs capture changes to directory objects and configurations:
Sign-ins – Sign-in logs record attempts (successful or failed) to access apps and services, including details like user, device, location, and risk detections.
Provisioning – Provisioning logs track automated or manual account lifecycle events — creation, update, deactivation — across connected systems (e.g., HR apps, SaaS services).
This section explains creating an application using the Azure Log Analytics REST API. However, it is also possible to configure an existing application. If this is the case, skip this step.
In the Microsoft Entra ID panel, select App registrations. Then, select New registration.
Give the app a descriptive name, select the appropriate account type, and click Register.
The app is now registered.
Click on the application, go to the Overview section, and save the Application (client) ID for later authentication.
Select the Add a permission option in the API permissions section.
Search for "Microsoft Graph" and select the API.
Select the permissions in Applications permissions that align with your infrastructure. In this case, AuditLog.Read.All permissions will be granted. Then, click Add permissions.
AuditLog.Read.All
Use an admin user to Grant admin consent for the tenant.
To use the Log Analytics API to retrieve the logs, we must generate an application key to authenticate the Log Analytics API. Follow the steps below to generate the application key.
Select Certificates & secrets, then select New client secret to generate a key.
Give an appropriate description, set a preferred duration for the key, and then click Add.
Copy the key value. This would be later used for authentication.
Note: Copy the key before exiting this page, as it will only be displayed once. If you do not copy it before exiting the page, you will have to generate a fresh key.
Upload the key and ID of the application saved during the previous steps.
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.