Audit Logs queries from Microsoft Graph are long to respond

Hi @DamienCelle,

Welcome to Microsoft Q&A forum, and thank you very much for reaching out to us.

Based on your description, you are currently using the Microsoft Graph API beta endpoint (/beta/security/auditLog/queries) for audit logs. However, you mentioned that it is slower than expected and you are looking for more reliable alternatives. Kindly correct me if I am wrong.

Please note that as a Microsoft Q&A moderator, I do not have access to your environment configuration, but rest assured that I will assist you through my research and available resources.

Regarding the method you are using, kindly note that Microsoft states the beta endpoint is a preview API intended for testing and experimentation with new features before they are generally available. It is not recommended for production use because it can change without notice.

Based on my research, if you’re looking for alternatives to querying Microsoft 365 audit logs through Microsoft Graph, Microsoft offers these recommended approaches:

• Office 365 Management Activity API:

Microsoft strongly recommends using the Office 365 Management Activity API to retrieve details about user, admin, system, and policy actions across Microsoft 365 services.

Unlike a single large query, this API works by allowing you to subscribe to audit events and then pull the data in smaller, manageable chunks. It’s built for compliance scenarios, which makes it predictable and scalable for production environments.

Note that the process feels more like a continuous feed rather than a one-time request. You set up subscriptions for the workloads you care about, such as Exchange, SharePoint, or Teams, and the service delivers content blobs containing the logs. Your application can then process these blobs incrementally, reducing latency and improving reliability.

For more information, you can check out on this Microsoft Article here.

Additionally, if your Razor app is already hosted in Azure, you can pair this API with Azure Functions or storage for automated processing. Microsoft also provided a sample code for you to explore, feel free to check it out.

• Microsoft Purview Audit:

If your organization needs deeper visibility or near real-time access to audit data, Microsoft Purview Audit provides a way to stream audit events directly into an Azure Event Hub or Azure Storage account. This eliminates the need for periodic log pulls and enables your application to process data as it’s generated. Such an approach is well-suited for scenarios where timely insights are critical, like security monitoring or compliance dashboards.

Purview also provides REST APIs that let you query audit logs by time range, category, and other filters. You can start with smaller queries, such as a few days of data, and scale up to streaming if your requirements grow.

Additionally, Microsoft Purview Audit Premium offers higher bandwidth access to the Office 365 Management Activity API, enabling faster retrieval of audit data. Please note that this capability requires an E5 or Advanced Audit license.

For more information, you can check out on this Microsoft Article here.

Thank you very much for your time. If you have any additional questions or need further clarification, feel free to let me know. I’ll be happy to assist you further.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.