Announcing the preview of Graph Reports and Events API

  • Article

We’re pleased to announce that Activity and Events Reporting data is now available, in preview, through the Azure AD Graph API.   You may have seen some of this information already surfaced through the Azure Management Portal, under the Reports tab in the Active Directory extension.  These reports and activity logs are now also available to developers through the Graph API with this release. For more details, check out the MSDN documentation here: Azure AD Reports and Events (Preview)

Like other applications using the Graph API, access is available through requesting permission scopes to Graph API through the Azure Management Portal.  To access reporting data, your application will need to either:

  • request the Read directory data delegated permission AND the user needs to be a company administrator, OR
  • in the case of application-only, the application needs to be given application permissions to Read directory data.

Example REST API calls

Here are a couple of examples for you, so you can see how easy it is to get this rich information. Note: since this is a preview feature, these queries are ONLY available using api-version=beta.

Viewing the list of reports

GET

https://graph.windows.net/contoso.com/reports?api-version=beta

HEADERS

Authorization: Bearer    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

RESPONSE: 200

{  "@odata.context":"https://graph.windows.net/contoso.com/$metadata#reports","value":[

   {  "Name":"auditEvents","LicenseRequired":"False"

    },{

       "Name":"accountProvisioningEvents","LicenseRequired":"False"

    },{

       "Name":"signInsFromUnknownSourcesEvents","LicenseRequired":"False"

    },{              

  “Name":"signInsFromIPAddressesWithSuspiciousActivityEvents","LicenseRequired":"True"

    },{

       "Name":"signInsFromMultipleGeographiesEvents","LicenseRequired":"False"

    },{

       "Name":"signInsFromPossiblyInfectedDevicesEvents","LicenseRequired":"True"

    },{

       "Name":"irregularSignInActivityEvents","LicenseRequired":"True"

    },{

       "Name":"allUsersWithAnomalousSignInActivityEvents","LicenseRequired":"True"

    },{

       "Name":"signInsAfterMultipleFailuresEvents","LicenseRequired":"False"

    }   ]

}

 

Viewing a specific report type

To view data in a specific report type, query /reports/<reportName>

GET

https://graph.windows.net/contoso.com/reports/auditEvents?api-version=beta

HEADERS

Authorization: Bearer    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

RESPONSE: 200

{  "@odata.context":"https://graph.windows.net/contoso.com/reports/auditEvents?api-version=beta","value":[

{      "id":"BL2GR1RDS122.GRN001.msoprd.msft.net_4751480","eventTime":"2015-05-13T19:02:01.8779138Z","actor":"00000014-0000-0000-c000-000000000000","action":"Add  User.","target":"fpeeters@contosobuild.com","actorDetail":"Other=a7e1a631-462a-4d9c-992d-5fcf04e94e4b;  SPN=00000014-0000-0000-c000-000000000000","targetDetail":"UPN=fpeeters@contosobuild.com","updatedProperties":null

    },{      "id":"BL2GR1RDS122.GRN001.msoprd.msft.net_4751479","eventTime":"2015-05-13T19:02:01.8779138Z","actor":"00000014-0000-0000-c000-000000000000","action":"Add  User.","target":"lgundersen@contosobuild.com","actorDetail":"Other=a7e1a631-462a-4d9c-992d-5fcf04e94e4b;  SPN=00000014-0000-0000-c000-000000000000","targetDetail":"UPN=lgundersen@contosobuild.com","updatedProperties":null

    },{  "id":"BL2GR1RDS122.GRN001.msoprd.msft.net_4751477","eventTime":"2015-05-13T19:02:01.8622897Z","actor":"00000014-0000-0000-c000-000000000000","action":"Add  User.","target":"omakinen@contosobuild.com","actorDetail":"Other=a7e1a631-462a-4d9c-992d-5fcf04e94e4b;  SPN=00000014-0000-0000-c000-000000000000","targetDetail":"UPN=omakinen@contosobuild.com","updatedProperties":null

    }   ]

}

 

To view a report type by a date range

Most datetime fields are filterable. Use $filter OData querying format to query different intervals. For example:

GET

https://graph.windows.net/contoso,com/reports/auditEvents?api-version=beta&$filter=eventTime  gt 2015-05-08 and eventTime lt 2015-05-11

Pretty simple – but if you want to find out more, check out our simple Report API Sample to see how to get all the reports as well as to filter the reports on dateTime.  We also have a Reporting API getting started guide for simple rest calls. Using only REST calls, this API can easily be integrated into SEIM tools such as splunk and arcsight.

Feedback

We'd love to hear from you.  Please give us feedback through our forums or through comments below.

Get rolling and rocking soon. Analyze activity logs to protect your users and optimize your app purchase and usage.