Office 365 Management Activity API with Power Automate – Part Two

Office 365 Management Activity API with Power Automate – Part Two

Generate Office 365 Management Activity API Access Token

Overview

This post is a continuation of Office 365 Management Activity API with Power Automate – Part One and is part of a three part series. This blog series will show you how to use the Office 365 Management API aka Microsoft 365 Audit Logs with Microsoft Power Automate (Flow) then write the logs to SharePoint.

This blog post will show you how to generate an Office 365 Management Activity API Access token with Power Automate (Flow) that is later needed to authenticate and download M365 Audit Logs.

I searched everywhere and could not seem to find any working examples for Power Automate so I decided to translate the PowerShell examples on the Microsoft page: Troubleshooting the Office 365 Management Activity API into a Flow.

The blog series

Creating the Flow in Power Automate

Pre-requisites

Ensure Part One has been followed to obtain the following details from your Microsoft 365 tenancy

  • Application (client) ID
  • Application Client Sectret
  • Directory (tenant) ID

NOTE: This solution requires a HTTP action in Power Automate which is a premium connector and will require a Power Automate Premium Licence. Alternatively this solution could be created in Azure Logic Apps where the HTTP connector is standard and does not require a premium licence. Azure Logic Apps is a consumption based billing service which requires an Azure subscription in order to build and create logic apps in Azure.

Open Power Automate

Open Power Automate by going to https://powerautomate.com and signing in. Go to My flowsNewScheduled–from blank

Enter a name for the flow i.e “Get Office 365 Management Activity API Logs” and enter a schedule for the Flow to run in this case I will do a daily Flow. When finished click Create.

In the new Flow you have just created add three Compose Actions by selecting the Next Step button then in the Choose an action menu type “compose” and then select the Compose action

Add three Compose actions for Tenant ID, Client ID and Client Secret. Then enter in the values for obtained for Tenant ID, Client ID and Client Secret. from Part One. I have blurred out the details for my Tenant for security reasons.

Next add a HTTP action by selecting the Next Step button and then searching for HTTP and selecting the HTTP action.

NOTE: the HTTP action is a premium action in Power Automate so requires a premium licence.

In the HTTP action rename the action to HTTP – Get Token. Change the method to POST. In the URI column type:

https://login.microsoftonline.com/

then add the Compose action value for Tenant ID to URI

then add to the URI

/oauth2/token

Add in Headers

Content-Typeapplication/x-www-form-urlencoded

In the body column add

client_id=

then add the Compose action value Client ID to body

then add to the body column

&client_Secret=

then add the Compose action value Client Secret to the body value

then finally add to the body value add

&resource=https://manage.office.com&grant_type=client_credentials

You have now completed the HTTP – Get Token action and it should look like the below image:

Now we are going to Save the Flow and Test to see if an Access Token is generated.

Now in the Test Flow menu select I’ll perform the trigger action and then select Save & Test

Select Run Flow

The Flow will now run – it should take a couple of seconds to Run so click Done to be taken to the results page.

The Results page for the Flow should now be displayed with 5 green ticks and a mesaage indicating Your flow ran successfully. Click on the bottom HTTP action to expand it

The access_token is now generated and it can be viewed in the Body in the OUTPUTS section.

We now need to extract this access_token with the body section for use with Flow. Go into the OUTPUTS Body section and place your cursor in there then press CtrlA to select all of the JSON in the body section and then copy this to your clipboard with CtrlC

Next click on Edit to edit the Flow

Now we are going to add to the Flow a Parse JSON action by clicking the +New Step button then typing in parse in the Choose an action menu then selecting the Parse JSON action.

In the Parse JSON action click Generate from sample

Paste in the Sample JSON Payload which is the OUTPUTS Body we just copied to the clipboard from the Flow Results. Then click Done.

The schema will now be generated in the Schema box. Next add the Body field from the previous HTTP action to the Content column.

Start a Subscription using Power Automate

Introduction

The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, these content types are supported:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General (includes all other workloads not included in the previous content types)
  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.

To begin retrieving content blobs for a tenant, you first a create subscription to the desired content types.

After you create a subscription, you can poll regularly to discover new content blobs that are available for download,

NOTE: When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription. The content blobs are created by collecting and aggregating actions and events across multiple servers and datacenters in Microsoft 365. 

Create a Subcription using HTTP action

As you can see with the five content types available – I am going use Audit.General for my example as I want to get information about the Workloads MicrosoftFlow, PowerApps, MicrosoftTeams etc but you can register to multiple content types if you would like to obtain SharePoint, Exchange, AzureAD logs etc.

Edit the Flow again and then add a HTTP action. Set the Method to be POST then in the URI field add

https://manage.office.com/api/v1.0/

then add the Compose Tenant ID value to the URI field, then finally add to the URI field

/activity/feed/subscriptions/start?contentType=Audit.General

Next add Headers for the HTTP request, see the table below for the values. Ensure for the Authorization header that the word Bearer is entered, then a SPACE (THIS IS IMPORTANT!) and then the access_token is added from Parse JSON. Next add the Content-Type header and it’s value application/json.

AuthorizationBearer <Parse JSON – access_token>
Content-Typeapplication/json

The completed HTTP action should look like this (note I have renamed the action to HTTP – Start Subscription

Now we are going to Test the Flow – click the Test button and then click I’ll perform the trigger action and then click Save & Test on the Test Flow menu

Now click on Run Flow

We can now see the results of the Flow which ran sucessfully – go to the HTTP – Start Subscription action and expand it. Check the OUTPUTS to see the Status code is 200 and the Body displays the contentType you wished to be enabled i.e. Audit.General and the status is enabled. The means the Subscription has been successfully enabled –

NOTE: it can take upto 12 hours for the subscription to retrieve the first content blob of logs for the ContentType so you may need to stop and come back later.

Completed Flow

Here the completed Flow for this post

Conclusion

If you’ve made it this far, you will have completed Part One and then in this blog article you will have started to create a Flow in Power Automate to subscribe to the Office 365 Management API to retrieve M365 Audit Logs

For the next section Part Three we will retrieve the Audit Logs and then filter the Audit Logs to only show an example M365 workload i.e. MicrosoftFlow . I will then show how to write these to a SharePoint list.

I hope you enjoyed this blog post. Please leave comments and feedback below.

Leave a Reply