When I enter the Security & Compliance page and search for the audit log, I see events that I expect, such as logon events and mailbox logins (mailbox audit mode is on). I was hoping to get the same functionality from the Graph API.
I created an application with the rights of the application "Reading directory" and can access the graphical API just fine. However, when I pull out the AuditEvent report, events like PasswordLogonInitialAuthUsingPassword and MailboxLogin are simply missing.
I went ahead and created another application using the Office Management API and after starting the subscription for Audit.Exchange and Audit.AzureActiveDirectory. I see all the events that I usually see in the web interface.
I might be wrong, but it looks like the Graph API is the future, so I would prefer to use this for my application. Is the above information available in the Graph API or should I use the activity management API? I am also interested in pulling out other reports, such as the following, which seems to be present only with the schedule:
- CompromisedCredentialsEvent
- IrregularSignInActivityEvent
- AllUsersWithAnomalousSignInActivityEvent
It seems to me that I'm missing something using the Graph API, so any guidance would be appreciated.
Sgt b source
share