cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
davidchr
New Member

Configure Oauth to connect to O365 Audit logs

Im using the following template: Monitor Office 365 audit logs for specific details and send alerts

 

https://preview.flow.microsoft.com/en-us/galleries/public/templates/4a7ea95259f1404e95855f6b053360b1...

 

But since this is production I cannot use Basic Auth.  I'll be the first to admit that OAuth is out of my depth and I was looking for assistance on how to configure the advanced options of the HTTP segment within this flow.  (FYI...all prior steps within this flow are successful).   I was using the following but its not working:

 

URI-- https://outlook.office365.com/psws/service.svc/UnifiedAuditLog?StartDate=12/16/2020&EndDate=12/17/20...

authentication:  Active Directory OAuth

Authority:  I've left this blank and I've also tried https://manage.office.com (taking this from a custom connector configuration used with the CoE Starter Kit).

I then enter my tenant GUID and the Application ID for the Audience and Client ID fields.  Finally I add the App secret.

 

Any help would be greatly appreciated.

 

Dave

 

 
 

 

 

2 REPLIES 2
Expiscornovus
Super User
Super User

Hi @davidchr,

 

As far as I am aware this sample is based on the PowerShell Search-UnifiedAuditLog Webservice sample, which is using Exchange Online PowerShell.

 

I think they are still working on that Modern Auth stuff, so I am not sure if this endpoint already works with Modern Auth, to be honest.

https://docs.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps

 

An alternative you could use the Microsoft 365 Management Activity API, that one should be able to work with an registered Azure Ad app: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...

colonel_claypoo
Helper III
Helper III

I'm facing the same issue now.

Always getting a 401 permission error, even with Azure app.

 

I can get ExchangeOnline V2 to authenticate via Azure app in PowerShell but that doesn't help as not cmdlets are available to do what could be done through https://outlook.office365.com/psws/service.svc/UnifiedAuditLog.

 

Got the Office 365 Management API to partly work but (subscription and initial content call) but there seems to be no filter and it always returns thousands of objects and it's not feasible to get an activity from like 60 days back like the 90 days we were able from the https://outlook.office365.com/psws/service.svc/UnifiedAuditLog API.

 

Anyone know of a way?

Helpful resources

Announcements
Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

User Group Leader Meeting January 768x460.png

Calling all User Group Leaders!

Don't miss the User Group Leader meetings on January, 24th & 25th, 2022.

Top Solution Authors
Top Kudoed Authors
Users online (1,461)