Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Microsoft Entra provides an audit trail of all user and app activity in your tenant to help you track all activities in your tenant and also be compliant. These logs include both app and user sign in activity, and changes to the directory.
Microsoft Entra data retention policies governs the availability of these activity reports.
What are activity reports?
Microsoft Entra provides the following activity reports:
- Directory audit logs
- Custom security attribute audit logs
- Self-service sign-ups (Microsoft Entra External ID)
- Sign-ins
- Provisioning
- Audit activity types
- Sign-in events summary per app
- Sign-in events count per day
- Summarized sign-ins for a category
Available audit logs
Directory audit logs
The directory audit logs provide you with access to the history of every task performed in your tenant, either by a user or a service. Among others, the provided data enables you to address common scenarios such as:
- Who granted admin group access to a directory user?
- Which users are signing in to a recently acquired app?
- How many passwords resets were made within the directory?
Custom security attribute audit logs
Custom security attribute audit logs provide you with the history of activities related to custom security attributes, such as adding a new definition or assigning an attribute value to a user. Custom security attribute audit logs are separate from directory audit logs and have a different endpoint. To view custom security attribute audit logs, you must be assigned the Attribute Log Reader or Attribute Log Administrator role. By default, a Global Administrator doesn't have access to these audit logs.
Self-service sign-ups (Microsoft Entra External ID)
The sign-ups report helps you see all the sign-up attempts (failed and successful) in Microsoft Entra External ID.
Sign-ins
The sign-in logs help you determine who or what performed the tasks reported by directory audit logs. The logs include interactive user sign-ins, non-interactive user sign-ins, service principal sign-ins, and managed identity sign-ins.
The sign-ins report helps you answer questions like:
- What is the sign in pattern of a user?
- How many users signed in the last week?
- What's the status of these sign-ins?
Provisioning
The provisioning logs help you see all the actions performed by the Microsoft Entra provisioning service. The provisioning report helps you answer questions like:
- What groups were successfully created in ServiceNow?
- What roles were imported from Amazon Web Services?
- What users were unsuccessfully created from Workday?
Audit Activity Types
The auditActivityType provide you with a list of all available audit activity types and their corresponding service and category.
Sign In Events App Summary
The signInEventsAppActivity helps you see the total number of sign in events for a specific application in the past 30 days.
Sign In Events Summary
The signInEventsActivity helps you see the total number of sign in events for a specific day.
Summarized Sign In Events Summary
The summarizedSignIn helps you see the summary of sign-in event counts for specific categories grouped by user, application, IP address, and time window.
What can I do with activity reports in Microsoft Graph?
Here are popular requests for working with report data:
License requirements
Activity reports are available for features that you've licensed. If you have a license for a specific feature, you also have access to the reports. For more information about license requirements for the different activity reports, see Microsoft Entra audit logs: License and role requirements.