How to get the AzureAD AuditLog with the MS Graph API and PowerShell

Audit logs in Azure AD

Azure AD contains a lot of audit logging.
All kinds of audit logs are written in Azure AD, which are stored for 90 days by default.
You can call these logs with the Microsoft Graph API.

In the blog below I’m going to explain how to get a list of audit logs that are applicable in the 90 days in your Azure AD tenant.


Before we can start…

We need the following:


PowerShell module Optimized.Mga

I made the Optimized.Mga module myself.
If you have feedback for me, you can leave a comment on this post, or on Github.


AzureAD registered application

Not sure how to get started with an AzureAD registered application for the Microsoft Graph API?

I wrote a page for this which you can find here:
How to start with Microsoft Graph in PowerShell by Bas Wijdenes

Microsoft also created a blog post about how to get started with an AzureAD registered application for the Microsoft Graph API.

You can find that here:
Manage app registration and API permission for Microsoft Graph notifications – Microsoft Graph | Microsoft Docs


Let’s get started with Optimized.Mga in PowerShell

Getting the Authorization token from Microsoft Graph API

Open Powershell & copy the cmdlet below.
Update the ApplicationID, ClientSecret & Tenant with the correct values.

By running the cmdlet you will create an Authorization token that other cmdlets (like Get-Mga) will automatically use in the backend.

$null = Connect-Mga -ClientSecret 'XXXX' -ApplicationID 'b5954443-ad10-4d1c-8cbc-dc05268a1858' -Tenant 'bwit.onmicrosoft.com'

If everything went well, you have received a message stating that you are logged in.


Let’s start by getting the audit log types from Azure AD

For the next steps we will use the Microsoft Graph API official docs from Microsoft.
We will use the following page:
List directoryAudits – Microsoft Graph v1.0 | Microsoft Docs

The relative URL indicated is:
/auditLogs/directoryaudits

The EndPoint of the Graph API is https://graph.microsoft.com/v1.0

So the full URL we’re going to use will be:
https://graph.microsoft.com/v1.0/auditLogs/directoryAudits

With this URL we should now be getting information back from the API so let’s test that.

Get-Mga -URL 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits'

id                  : Directory_d83275e4-358b-4cc4-885b-627ec183d629_OSF8T_338747073
category            : ApplicationManagement
correlationId       : d83275e4-358b-4cc4-885b-627ec183d629
result              : success
resultReason        :
activityDisplayName : Update service principal
activityDateTime    : 2021-12-07T23:03:27.0343377Z
loggedByService     : Core Directory
operationType       : Update
initiatedBy         : @{user=; app=}
targetResources     : {@{id=abea8b23-eca2-4b67-8578-cf552d473623; displayName=Microsoft Intune; type=ServicePrincipal; userPrincipalName=; groupType=; modifiedProperties=System.Object[]}}
additionalDetails   : {@{key=AppId; value=0000000a-0000-0000-c000-000000000000}}

When you run the command when your environment is quite large, you notice that the Get-Mga often repeats the request.

That’s because by default you retrieve 20 objects.
You can get around this by using the query top.
The query looks like this $top=999, where 999 is the maximum.

you start queries with ? or &, so the full URL now becomes: ‘https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=999′

For more about queries click here:
Use query parameters to customize responses – Microsoft Graph | Microsoft Docs

Let’s try the cmdlet below again with the query.

$Audit = Get-Mga -URL 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=999'

The $audit variable now contains an array of all the AuditLogs in your environment.
To see the unique AuditLogs run the following command.

$Audit | Select-Object ActivityDisplayName -Unique

activityDisplayName
-------------------
Update StsRefreshTokenValidFrom Timestamp
Reset user password
Consent to application
Add app role assignment grant to user
Add app role assignment to service principal
Update application
Update service principal
Update application – Certificates and secrets management
Add service principal

How can I filter on specific Audit Logs?

For example when someone changed the Service account password you can use ‘Reset user password‘ with a filter.

Filter in the Graph API is also a query parameter:
Use query parameters to customize responses – Microsoft Graph | Microsoft Docs

The Filter in PowerShell will be

$Filter = "activityDisplayName eq 'Reset user password'"

The complete script will be the below.

$Filter = "activityDisplayName eq 'Reset user password'" 

$URL = 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=999&$Filter={0}' -f $Filter

Get-Mga -URL $URL

This way you can quickly go through all logs when an issue has arisen.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

Leave a Reply

Your email address will not be published.