Introducing the Microsoft Purview Audit Search Graph API
Microsoft Purview Audit provides an integrated solution to help organizations effectively respond to security incidents, forensic investigations, internal investigations, and compliance obligations.
Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization’s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Today, we are excited to announce the upcoming launch of the Microsoft Purview Audit Search Graph API, a new capability that is currently in Public Preview and will be Generally Available by June 2024. With this release, Microsoft Purview Audit will offer a new API available through Microsoft Graph to programmatically search and retrieve relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.
What are the advantages of using this new API over the existing Search-UnifiedAuditLog cmdlet?
Microsoft Graph offers a single endpoint to provide access to rich data and insights across the Microsoft ecosystem. The Microsoft Audit Search Graph API is designed to provide a more efficient and reliable way to search audit logs, making it easier for customers and partners to monitor and investigate security incidents. With this new feature, users can expect faster search times, more complete search results, and a more robust and reliable search experience.
Highlights of the API with improvements over the existing Search-UnifiedAuditLog cmdlet are listed below:
The API offers an asynchronous Audit search experience with support for automation – accessible by both users and applications
A more reliable Audit search experience with fewer timeouts and improved search completeness
New granular permissions have been introduced for the Audit workloads (Exchange, Entra, OneDrive, SPO, Intune, CRM) which allow you to grant workload-scoped access to your security admins for the very first time
Ability to programmatically filter Audit logs using 10 parameters with 4 new filter options to be added soon
New granular permissions
The new API allows you to scope access to Audit logs at a workload level for the very first time. The following seven permissions have been introduced:
Microsoft 365 service
Permission string
Microsoft OneDrive
AuditLogsQuery-OneDrive.Read.All
Microsoft Exchange
AuditLogsQuery-Exchange.Read.All
Microsoft SharePoint
AuditLogsQuery-SharePoint.Read.All
Microsoft Intune
AuditLogsQuery-Endpoint.Read.All
Microsoft Dynamics CRM
AuditLogsQuery-CRM.Read.All
Microsoft Entra
AuditLogsQuery-Entra.Read.All
All Audit Logs
AuditLogsQuery.Read.All
Get Started
Explore how to use the API by referring to the API documentation available here.
The Audit Search Graph API is currently in Public Preview and is planned to be Generally Available by June 2024.
We encourage existing users of the Search-UnifiedAuditLog cmdlet to switch over to the new Audit Search Graph API to take advantage of these improvements. This new API will provide a better overall experience for our customers and partners and help effectively monitor and protect their environments.
There is an easy way for eligible customers to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. By enabling the trial in the compliance portal, you can quickly start using all capabilities of Microsoft Purview, including Insider Risk Management, Records Management, Audit, eDiscovery, Communication Compliance, Information Protection, Data Lifecycle Management, Data Loss Prevention, and Compliance Manager.
Microsoft Tech Community – Latest Blogs –Read More