azuresharepointmicrosoft-graph-api

How to retrieve audit logs for sensitivity label application on SharePoint files using Microsoft Graph API?

I’m trying to retrieve audit logs or activity reports related to sensitivity labels applied to files stored in SharePoint using the Microsoft Graph API. Specifically, I want to track when a sensitivity label is applied or changed on a file within SharePoint.

So far, I have tried the following Graph API queries:

GET https://graph.microsoft.com/v1.0/security/alerts?$filter=category eq 'DataGovernance' and activityDisplayName eq 'FileLabelApplied'

However, I’m receiving the following error message:

{
    "error": {
        "code": "",
        "message": "Invalid ODATA query filter",
        "innerError": {
            "date": "2024-08-13T02:21:43",
            "request-id": "496b45e7-3e21-4524-9249-e506d378bd45",
            "client-request-id": "b7fdc2ec-f62c-8199-4248-fdb0913a29ad"
        }
    }
}

I have tried the following Graph API query :

https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'DataGovernance' and operationType eq 'LabelApplied'

This query returned an empty result:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET auditLogs/directoryAudits?$select=activityDateTime,activityDisplayName",
    "value": []
}

To ensure that the API should return some results, I manually applied a sensitivity label to a file in SharePoint and then ran the API call. However, the response still returned an empty result, even though there should be a log entry for this action.

Is there a specific Graph API endpoint or query parameters that I should be using to retrieve logs related to sensitivity label applications on SharePoint files? Alternatively, is there another way to track these activities using the Graph API?

Any guidance on how to properly configure the API call or use alternative methods to obtain these logs would be greatly appreciated.

Solution

  • To retrieve audit logs for sensitivity label application on SharePoint files using Microsoft Graph API, you can make use of below query:

    GET 
https://graph.microsoft.com/beta/security/auditLog/queries

    enter image description here

    As I do not have any logs it returned blank results, But the sample output will be like below:

    {
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries",
    "@odata.count": ,
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET security/auditLog/queries?$select=administrativeUnitIdFilters,displayName",
    "value": [
        {
            "id": "ID",
            "displayName": "DisplayName",
            "filterStartDateTime": "xxx",
            "filterEndDateTime": "xxx",
            "recordTypeFilters": [],
            "keywordFilter": "",
            "serviceFilters": [],
            "operationFilters": [
                "filesensitivitylabelapplied"
            ],
            "userPrincipalNameFilters": [],
            "ipAddressFilters": [],
            "objectIdFilters": [],
            "administrativeUnitIdFilters": [],
            "status": "succeeded"
        }
       ...    ]
}

    Make sure to consent AuditLogsQuery-SharePoint.Read.All API permission to fetch the results.

    Reference:

    List auditLogQueries - Microsoft Graph beta | Microsoft