Page Comparison

Audit logs - provisioning

Represents an action performed by the Microsoft Entra provisioning service and its associated properties.

v1.0/auditLogs/provisioning

provisioning_audits

cloud.azure.ad.provisioning.*.msgraph

Audit logs - directory

Represents the directory audit items and its collection.

v1.0/auditLogs/directoryaudits

directory_audits

cloud.azure.ad.audit.*.msgraph

Audit logs - sign-ins

Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

v1.0/auditLogs/signIns

signIns

cloud.azure.ad.signin.*.msgraph

Audit logs - sign-ins (v2)

Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

beta/auditLogs/signIns

signIns_v2

• cloud.azure.ad.interactive_user_signin.*.msgraph

• cloud.azure.ad.noninteractive_user_signin.*.msgraph

• cloud.azure.ad.managed_identity_signin.*.msgraph

• cloud.azure.ad.service_principal_signin.*.msgraph

• cloud.azure.ad.unknown_future_value_signin.*.msgraph

Legacy Alerts

This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in Use the Microsoft Graph security API. It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

v1.0/security/alerts

alerts

• cloud.azure.ad.alerts.*.msgraph

• cloud.office365.cloud_apps.alerts.*.msgraph

• cloud.office365.endpoint.alerts.*.msgraph

• cloud.office365.security.alerts.*.msgraph

• cloud.azure.sentinel.alerts.*.msgraph

• cloud.office365.identity.alerts.*.msgraph

• cloud.azure.securitycenter.alerts.*.msgraph

Alerts (v2)

This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified.

When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an alert resource about any related attack, impacted assets, and associated evidence. It automatically correlates other alerts with the same attack techniques or the same attacker into an incident to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

v1.0/security/alerts_v2

alerts_v2

cloud.msgraph.security.alerts_v2.*

Secure Scores

Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. This data is sorted by createdDateTime, from latest to earliest. This will allow you to page responses by using $top=n, where n = the number of days of data that you want to retrieve.

v1.0/security/secureScores

secure_scores

cloud.office365.security.scores.*.msgraph

Secure Scores Control Profiles

Represents a tenant's secure score per control data. By default, this resource returns all controls for a tenant and can explicitly pull individual controls.

v1.0/security/secureScoreControlProfiles/

secure_score_control_profiles

cloud.office365.security.scorecontrol.*.msgraph