Generate Office 365 Management Activity API Access Token


This post is a continuation of Office 365 Management Activity API with Power Automate – Part One and is part of a three part series. This blog series will show you how to use the Office 365 Management API aka Microsoft 365 Audit Logs with Microsoft Power Automate (Flow) then write the logs to SharePoint.

This blog post will show you how to generate an Office 365 Management Activity API Access token with Power Automate (Flow) that is later needed to authenticate and download M365 Audit Logs.

I searched everywhere and could not seem to find any working examples for Power Automate so I decided to translate the PowerShell examples on the Microsoft page: Troubleshooting the Office 365 Management Activity API into a Flow.

The blog series

NEW BLOG/UPDATED SOLUTION (deals with Pagination, refresh token & provided templates to deploy solution in Power Automate & Logic Apps)

Creating the Flow in Power Automate


Ensure Part One has been followed to obtain the following details from your Microsoft 365 tenancy

  • Application (client) ID
  • Application Client Sectret
  • Directory (tenant) ID

NOTE: This solution requires a HTTP action in Power Automate which is a premium connector and will require a Power Automate Premium Licence. Alternatively this solution could be created in Azure Logic Apps where the HTTP connector is standard and does not require a premium licence. Azure Logic Apps is a consumption based billing service which requires an Azure subscription in order to build and create logic apps in Azure.

Open Power Automate

Open Power Automate by going to and signing in. Go to My flowsNewScheduled–from blank

Enter a name for the flow i.e “Get Office 365 Management Activity API Logs” and enter a schedule for the Flow to run in this case I will do a daily Flow. When finished click Create.

In the new Flow you have just created add three Compose Actions by selecting the Next Step button then in the Choose an action menu type “compose” and then select the Compose action

Add three Compose actions for Tenant ID, Client ID and Client Secret. Then enter in the values for obtained for Tenant ID, Client ID and Client Secret. from Part One. I have blurred out the details for my Tenant for security reasons.

Next add a HTTP action by selecting the Next Step button and then searching for HTTP and selecting the HTTP action.

NOTE: the HTTP action is a premium action in Power Automate so requires a premium licence.

In the HTTP action rename the action to HTTP – Get Token. Change the method to POST. In the URI column type:

then add the Compose action value for Tenant ID to URI

then add to the URI

Add in Headers


In the body column add

then add the Compose action value Client ID to body

then add to the body column

then add the Compose action value Client Secret to the body value

then finally add to the body value add

You have now completed the HTTP – Get Token action and it should look like the below image:

Now we are going to Save the Flow and Test to see if an Access Token is generated.

Now in the Test Flow menu select I’ll perform the trigger action and then select Save & Test

Select Run Flow

The Flow will now run – it should take a couple of seconds to Run so click Done to be taken to the results page.

The Results page for the Flow should now be displayed with 5 green ticks and a mesaage indicating Your flow ran successfully. Click on the bottom HTTP action to expand it

The access_token is now generated and it can be viewed in the Body in the OUTPUTS section.

We now need to extract this access_token with the body section for use with Flow. Go into the OUTPUTS Body section and place your cursor in there then press CtrlA to select all of the JSON in the body section and then copy this to your clipboard with CtrlC

Next click on Edit to edit the Flow

Now we are going to add to the Flow a Parse JSON action by clicking the +New Step button then typing in parse in the Choose an action menu then selecting the Parse JSON action.

In the Parse JSON action click Generate from sample

Paste in the Sample JSON Payload which is the OUTPUTS Body we just copied to the clipboard from the Flow Results. Then click Done.

The schema will now be generated in the Schema box. Next add the Body field from the previous HTTP action to the Content column.

Start a Subscription using Power Automate


The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, these content types are supported:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General (includes all other workloads not included in the previous content types)
  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.

To begin retrieving content blobs for a tenant, you first a create subscription to the desired content types.

After you create a subscription, you can poll regularly to discover new content blobs that are available for download,

NOTE: When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription. The content blobs are created by collecting and aggregating actions and events across multiple servers and datacenters in Microsoft 365. 

Create a Subcription using HTTP action

As you can see with the five content types available – I am going use Audit.General for my example as I want to get information about the Workloads MicrosoftFlow, PowerApps, MicrosoftTeams etc but you can register to multiple content types if you would like to obtain SharePoint, Exchange, AzureAD logs etc.

Edit the Flow again and then add a HTTP action. Set the Method to be POST then in the URI field add

then add the Compose Tenant ID value to the URI field, then finally add to the URI field

Next add Headers for the HTTP request, see the table below for the values. Ensure for the Authorization header that the word Bearer is entered, then a SPACE (THIS IS IMPORTANT!) and then the access_token is added from Parse JSON. Next add the Content-Type header and it’s value application/json.

AuthorizationBearer <Parse JSON – access_token>

The completed HTTP action should look like this (note I have renamed the action to HTTP – Start Subscription

Now we are going to Test the Flow – click the Test button and then click I’ll perform the trigger action and then click Save & Test on the Test Flow menu

Now click on Run Flow

We can now see the results of the Flow which ran sucessfully – go to the HTTP – Start Subscription action and expand it. Check the OUTPUTS to see the Status code is 200 and the Body displays the contentType you wished to be enabled i.e. Audit.General and the status is enabled. The means the Subscription has been successfully enabled –

NOTE: it can take upto 12 hours for the subscription to retrieve the first content blob of logs for the ContentType so you may need to stop and come back later.

Completed Flow

Here the completed Flow for this post


If you’ve made it this far, you will have completed Part One and then in this blog article you will have started to create a Flow in Power Automate to subscribe to the Office 365 Management API to retrieve M365 Audit Logs

For the next section Part Three we will retrieve the Audit Logs and then filter the Audit Logs to only show an example M365 workload i.e. MicrosoftFlow . I will then show how to write these to a SharePoint list.

I hope you enjoyed this blog post. Please leave comments and feedback below.

This Post Has 9 Comments

  1. EricPS

    Hi Leon,

    Thank you for your brillant blog, I’ve browsed several pages and it’s very smart !

    I follow this one in particular to get sharepoint logs, but I’ve an error at the end of this second part.
    The flow just before the “parse JSON and HTTP – Start Subscription” is a success.
    Since I’ve add the two last actions, it say to me “Authorization has been denied for this request.”

    I waited more than 2 days to be sure it was not the “first content blob of logs” problem, but the error is still there.

    Do you have an idea of what’s happens to me ?

    Thnaks to you.


  2. Leon Armston

    Hi Eric

    Thanks for checking out this blog

    Have you changed references of contentType=Audit.General to contentType=Audit.SharePoint?

    Is an access token being generated in Parse JSON – Access Token?

    I’d check the outputs and inputs of every action to see what they are returning i.e. [] is an emtpy array returning nothing.



  3. EricPS

    Thank you to reply,

    Yes I changed the content.type with audit.sharepoint.
    And I don’t see someting wrong in outputs and inputs

    “token_type”: “Bearer”,
    “expires_in”: “3599”,
    “ext_expires_in”: “3599”,
    “expires_on”: “1615568401”,
    “not_before”: “1615564501”,
    “resource”: “”,
    “access_token”: “XXXXXXXXXXXXXXXXX”

    But I’ve the same problem than Steven Reid that posted in your first part.
    I hcannot see the ActivityReports.Read permission, At the Request API permissions step.

    As you said, i’ve put Graph AuditLog.Read.All .

    It can be the problem ?

  4. Leon Armston

    Hi Eric

    I’ve had a look and tested the steps as I’ve not used this solution for a while. I also registered a new app registration in Azure all it needs is one permission : ActivityFeed.Read as application permission in Office 365 Management API.

    I’ve made a copy of the template flow that you could download (Enter Tenant ID, Client ID and Client Secret) – it’s filters on workload SharePoint

    Hope this works for you

  5. EricPS

    Hi Leon,

    Sorry for not having answered earlier, I was busy.
    I’ve tried your flow and it’s a success !
    So thank you for your support.

    I want to compare both flows to find my problem ! 🙂

    Thanks again,
    Have a nice day

    1. Leon Armston

      Hi Eric

      That’s good to hear that you were able to get it working with my template.

      Good luck with developing your solution and glad to be on assistance.



  6. Carlos Hurtado

    Hey Leon. You did a fantastic job with these posts. I already finished step 2 and looking forward to continue the process after the 12 hours quiet period. 😉 I wonder if the entire procedure remains valid two years after posted, but so far, so good. All that I want is to have a log of the tenant users currently using Outlook. Yet, with all those schemas available, the automation potential is huge. Thank you very much.

    1. Joe Gallagher

      How did it workout for you I finished step 2 and I am just waiting for 12 hour period. if you try to run scripted before 12
      hours what happens

Leave a Reply