Introduction and configure Microsoft 365 Tenant

This blog series will show you how to use the Office 365 Management API aka Microsoft 365 Audit Logs with Microsoft Power Automate (Flow) then write the logs to SharePoint.

The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office/Microsoft 365 and Azure Active Directory activity logs. These are most commonly known as M365 Audit Logs that are available in any Microsoft/Office 365 Tenancy.

This image has an empty alt attribute; its file name is image-5-1024x427.png

In this blog series I will show you how to create a Flow to access the O365 Management Activity API and retrieve Audit logs for a specific workload i.e. MicrosoftFlow and then write the logs to a SharePoint list.

This blog post will set the scene and introduce the Office 365 Management API then step you through setting up your Microsoft 365 tenant to setup an Azure AD app Registration and then granting permission for the app to the O365 Management API.

The blog series

NEW BLOG/UPDATED SOLUTION (deals with Pagination, refresh token & provided templates to deploy solution in Power Automate & Logic Apps)

The Basics – Office 365 Management Activity API aka Audit Logs

The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs.

These events are available in your Microsoft 365 tenancy as Audit Logs via the web at https://protection.office.com/unifiedauditlog and are retained for 90 days in most tenants before being overwritten.

Here is a link to the Microsoft page with all the Audited Activies available in the Microsoft 365 Audit Logs

The Office 365 Management Activity API is a REST web service that allows the Audit logs to be queried and downloaded in JSON format.

Setting up your Microsoft 365 Tenant

Ensure Unified Audit Logging is enabled in your Microsoft 365 Tenant

Audit Logging may need to be turned on in your Microsoft 365 Tenant. For instructions, see Turn Office 365 audit log search on or off.

Create an Azure AD App Registration

The Office 365 Management APIs use Azure AD to provide secure authentication to Microsoft 365 tenant data. To access the Office 365 Management APIs, you need to create a app registration in Azure AD, and as part of the configuration, you will specify the permission levels your app needs to access the APIs.

Don’t worry there is no cost, no azure subscriptions needed, no coding or any complexities associated with creating the app registration other than getting your tenant admin to approve the permissions the app has to your M365 tenancy.

Sign into the Azure AD management portal (https://aad.portal.azure.com/) using your Microsoft 365 credentials for the Microsoft 365 tenant you wish to use for audit logs. Then go to Azure Active Directory and then select App registrations for the left hand menu or go directly to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.

Select New Registration from the App Registration page

Now enter a Name for the application i.e. Office 365 Management Activity API, select Accounts in this organizational directory only,the Redirect URI can be ignored as it no longer necessary and then click Register.

The registered app you just created will now be displayed – click on API permissions on the left hand menu

Click on the Add a permission button in the Configured permissions section

Select Office 365 Management API in the Request API permissions section.

Select Application permissions as the type of permissions your application requires. Then Select ActivityFeed.Read as the permission required and then select the Add permissions button.

The application is now configured with the permissions it needs to use the Office 365 Management APIs but first it needs a admin to grant these permissions. A Global Administrator, Application Administrator or Cloud Application administrator must explicitly grant your application these permissions. This is granting the app permissions to use the APIs to access your tenants data.  If you do not have the necessary role please advise the admin to follow this link and provide them with the name of your App Registration to review and approve.

If you have the necessary Global Administrator, Application Administrator or Cloud Application administrator role click on the Grant admin consent to <tenant name> button.

Select Yes to grant consent for the requested permissions.

Ensure there is now a Green tick in the Status column for the API permission (ActivityFeed.Read) that have just been granted.

Generate a new key/client secret for your application

Navigate to the main page for the App Registration you just created, now make a note of the Application (client) ID and Directory (tenant) ID as you will need these later to access the Office 365 Management API using the app just created. Now Client secret needs to be generated to be used for authentication to the APIs – click on Certificates & Secrets on the left hand menu.

Click on the New Client Secret button in the Client secrets section

On the Add a client secret page enter a Description i.e. Secret then enter an Expiry for the client secret i.e. in 1 year, 2 years or Never and then click Add.

IMPORTANT: Now make a note of the Client Secret created i.e. I5u]CK82jC4TcL0Q=f7Nh:vGOO]M[LA]. It is important that this is done now as once this window is closed the Client secret will no longer be visible.

Now your Azure AD App Registration is fully configured and can be used to access the Office 365 Management Activity API.

Conclusion

If you’ve made it this far, you will have learnt more about Office 365 Management API and then then set up an Azure AD App Registration to allow permission for Power Automate to access the O365 Management API.

For the next section Part Two we will move onto Power Automate and I will show you how to generate the Access Token required for Power Automate to access the O365 Management API.

I hope you enjoyed this blog post. Please leave comments and feedback below.

This Post Has 4 Comments

  1. Johann Frias

    This is an amazing post, thank you very much.

  2. Steven Reid

    Great series!
    Has there been a change in the Office 365 Management APIs?
    At the Request API permissions step, I cannot see the ActivityReports.Read permission.

    1. Leon Armston

      Good spot Steven

      Mine has now changed to be named Deprecated_ActivityReports.Read

      Looks like it can now all be done under the Graph AuditLog.Read.All – will try in the next few weeks to try & rework my solution to handle this.

Leave a Reply