Audit Logs

Entra ID Audit Log Overview:

Microsoft Entra activity logs include audit logs, which is a comprehensive report on every logged event in Microsoft Entra ID. Changes to applications, groups, users, and licenses are all captured in the Microsoft Entra audit logs.

Permission Requirements:

Log / Report	Roles	Licenses
Audit	Reports Reader Security Reader Security Administrator Global Reader	All editions of Microsoft Entra ID

AuditLog Schema:

Column	Type	Description
AADOperationType	string	Type of the operation. Possible values are Add Update Delete and Other.
AADTenantId	string	ID of the ADD tenant
ActivityDateTime	datetime	Date and time the activity was performed in UTC.
ActivityDisplayName	string	Activity name or the operation name. Examples include Create User and Add member to group. For full list see Azure AD activity list.
AdditionalDetails	dynamic	Indicates additional details on the activity.
_BilledSize	real	The record size in bytes
Category	string	Currently Audit is the only supported value.
CorrelationId	string	Optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services.
DurationMs	long	Property is not used and can be ignored.
Id	string	GUID that uniquely identifies the activity.
Identity	string	Identity from the token that was presented when the request was made. The identity can be a user account system account or service principal.
InitiatedBy	dynamic	User or app initiated the activity.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	Message type. This is currently always Informational.
Location	string	Location of the datacenter.
LoggedByService	string	Service that initiated the activity (For example: Self-service Password Management Core Directory B2C Invited Users Microsoft Identity Manager Privileged Identity Management.
OperationName	string	Name of the operation.
OperationVersion	string	REST API version that's requested by the client.
Resource	string
ResourceGroup	string
ResourceId	string
ResourceProvider	string
Result	string	Result of the activity. Possible values are: success failure timeout unknownFutureValue.
ResultDescription	string	Additional description of the result.
ResultReason	string	Describes cause of failure or timeout results.
ResultSignature	string	Property is not used and can be ignored.
ResultType	string	Result of the operation. Possible values are Success and Failure.
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TargetResources	dynamic	Indicates information on which resource was changed due to the activity. Target Resource Type can be User Device Directory App Role Group Policy or Other.
TimeGenerated	datetime	Date and time the record was created.
Type	string	The name of the table

Microsoft Entra ID Audit Log Categories

Microsoft Entra audit log activity reference - Microsoft Entra IDMicrosoftLearn