Exchange Audit Log Endpoint Returns 401
I'm trying to retrieve Exchange Audit logs using manage.office.com endpoint.
This is the code:
public class ExchangeAuditLogReaderHelper
{
private readonly string _tenantId;
private readonly string _clientId;
private readonly string _clientSecret;
private readonly string _apiUrl = "https://manage.office.com/api/v1.0/{0}/activity/feed/subscriptions/content?contentType=Audit.Exchange&startTime={1:yyyy-MM-dd'T'HH:mm:ss}&endTime={2:yyyy-MM-dd'T'HH:mm:ss}";
public ExchangeAuditLogReaderHelper(string tenantId, string clientId, string clientSecret)
{
_tenantId = tenantId;
_clientId = clientId;
_clientSecret = clientSecret;
}
public async Task<string> GetAuditLogsAsync(DateTime startTime, DateTime endTime)
{
var accessToken = await GetAccessToken();
var url = string.Format(_apiUrl, _tenantId, startTime, endTime);
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync(url);
if (response.IsSuccessStatusCode)
{
var contentString = await response.Content.ReadAsStringAsync();
// Parse the JSON response and extract audit log entries (implementation omitted)
return contentString;
}
else
{
throw new Exception($"Error retrieving audit logs: {response.StatusCode}");
}
}
}
private async Task<string> GetAccessToken()
{
var authority = $"https://login.microsoftonline.com/{_tenantId}";
var authenticationContext = new AuthenticationContext(authority);
var clientCredential = new ClientCredential(_clientId, _clientSecret);
var userAssertion = await authenticationContext.AcquireTokenAsync("https://manage.office.com", clientCredential);
return userAssertion.AccessToken;
}
}
I have done the following steps:
- Create an Office 365 tenant. (Get TenantID.)
- Create an Enterprise App. (Get Client ID.)
- Create a Secret. (Get Client Secret.)
- Give the Enterprise App delegated permission ActivityFeed.Read and ActivityFeed.ReadDlp.
- Grant admin consent to the permissions.
I ran code with the values I have created, but I'm getting 401. Am I missing permissions for this?
Solution
The error might occur if you granted permissions of Delegated type that won't work with app-only flow.
Initially, I too got same error when I granted Delegated permissions in the application and tried to call API like this:
When I decoded this access token in jwt.ms, it does not have roles claim in it:
To resolve the error, make sure to grant permissions of Application type while using app-only flows:
When I ran below code after granting permissions of Application type, I got the response (blank as I don't have any):
using System.Net.Http.Headers;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
public class ExchangeAuditLogReaderHelper
{
private readonly string _tenantId;
private readonly string _clientId;
private readonly string _clientSecret;
private readonly string _apiUrl = "https://manage.office.com/api/v1.0/{0}/activity/feed/subscriptions/content?contentType=Audit.Exchange&startTime={1:yyyy-MM-dd'T'HH:mm:ss}&endTime={2:yyyy-MM-dd'T'HH:mm:ss}";
public ExchangeAuditLogReaderHelper(string tenantId, string clientId, string clientSecret)
{
_tenantId = tenantId;
_clientId = clientId;
_clientSecret = clientSecret;
}
public async Task<string> GetAuditLogsAsync(DateTime startTime, DateTime endTime)
{
var accessToken = await GetAccessToken();
var url = string.Format(_apiUrl, _tenantId, startTime, endTime);
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync(url);
if (response.IsSuccessStatusCode)
{
var contentString = await response.Content.ReadAsStringAsync();
return contentString;
}
else
{
var statusCode = (int)response.StatusCode;
var errorMessage = await response.Content.ReadAsStringAsync();
throw new Exception($"Error retrieving audit logs. Status code: {statusCode}. Error Message: {errorMessage}");
}
}
}
private async Task<string> GetAccessToken()
{
var authority = $"https://login.microsoftonline.com/{_tenantId}";
var authenticationContext = new AuthenticationContext(authority);
var clientCredential = new ClientCredential(_clientId, _clientSecret);
var userAssertion = await authenticationContext.AcquireTokenAsync("https://manage.office.com", clientCredential);
// Print the access token to the console
Console.WriteLine("Access Token: " + userAssertion.AccessToken);
return userAssertion.AccessToken;
}
}
class Program
{
static async Task Main(string[] args)
{
// Replace these with your actual values
var tenantId = "tenantId";
var clientId = "appId";
var clientSecret = "secret";
var helper = new ExchangeAuditLogReaderHelper(tenantId, clientId, clientSecret);
// Specify start and end time as required
var startTime = DateTime.UtcNow.AddDays(-1);
var endTime = DateTime.UtcNow;
try
{
var logs = await helper.GetAuditLogsAsync(startTime, endTime);
Console.WriteLine(logs);
}
catch (Exception ex)
{
Console.WriteLine($"\n{ex.Message}");
}
}
}
Response:
You can also decode this access token in jwt.ms and check for roles claim value to know what permissions token have:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?