How to enable API access to Microsoft Entra ID (AzureAD)?
Article ID: 518
Category: Cloud Log Monitoring
Applies to: 5.1 and later
Updated: 2026-01-29
This guide provides step-by-step instructions to enable audit log access in Microsoft Entra ID, formerly Azure Active Directory (AzureAD).
Prerequisites
- Administrative access to Microsoft Entra ID.
- An active subscription to Azure with Entra ID P1 or higher.
- Necessary permissions to configure audit logging.
- Patience.
Sign in to the Azure Portal
- Go to Azure Portal - https://portal.azure.com
- Sign in with your administrative account.
Register a new application
- Azure Portal: Click on Microsoft Entra ID -> Manage on the left sidebar
-or-
Microsoft Entra admin center: Click Identity -> Applications on the left sidebar - Click App registrations
- Then click + New registration.
- Enter a name for your application, e.g. EventSentry or EventSentry Log Download
- Set Supported account types based on your requirements ("Single Tenant" by default)
- "Redirect URI" can be left empty
- Click Register at the bottom.
- After the application is registered, you will be redirected to the application's overview page.
Get the Application (client) ID and Directory (tenant) ID
- Copy the Application (client) ID. This is your CLIENT_ID.
- On the same overview page, you will find the Directory (tenant) ID. Copy this value as your TENANT_ID.
Create a client secret
- Click on Certificates & secrets
- Then under the Client secrets tab click + New client secret.
- Provide a description for the client secret (e.g. "EventSentry" or "EventSentry Log Download") and set an expiration period. Setting a short expiration period is more secure but will require you to create new secrets when the credentials have expired.
- Click Add.
- IMPORTANT: After creating the client secret, copy the Value immediately. This is your CLIENT_SECRET. Note: You won’t be able to copy this secret later, so save it securely.
Assign API Permissions
- On the left sidebar go to API permissions > Add a permission
- Select Microsoft Graph.
- Add delegated permissions: Choose Application permissions (Delegated won't work in most scenarios)
- The required permissions for accessing logs are listed below. Recommended permissions are necessary for full log retrieval and all details.
- After adding the necessary permissions, click Grant admin consent to allow the application to use these permissions.
| Minimum Permissions | Recommended Permissions | Description |
|---|---|---|
| AuditLog.Read.All | AuditLog.Read.All | Sign-in logs, directory audit logs |
| SecurityEvents.Read.All | SecurityEvents.Read.All | Security events from Microsoft security products |
| Directory.Read.All | Users, groups, devices, organizational info | |
| IdentityProvider.Read.All | Identity providers (social logins, federation settings | |
| IdentityRiskEvent.Read.All | Identity Protection risk detections | |
| IdentityRiskyServicePrincipal.Read.All | Service principals flagged as risky | |
| IdentityRiskyUser.Read.All | Users flagged as risky by Identity Protection | |
| IdentityUserFlow.Read.All | Azure AD B2C user authentication flows | |
| Reports.Read.All | Microsoft 365 usage reports (Teams, Exchange, SharePoint activity) | |
| SecurityActions.Read.All | Security response actions taken | |
| SecurityAlert.Read.All | Security alerts from Defender products | |
| SecurityAnalyzedMessage.Read.All | Email threat analysis metadata | |
| SecurityEvents.Read.All | Security events from Microsoft security products | |
| SecurityIdentitiesHealth.Read | Identity security health/posture | |
| SecurityIdentitiesSensors.Read.All | Defender for Identity sensors | |
| SecurityIdentitiesUserActions | Identity-related user actions | |
| SecurityIncident.Read.All | Security incidents from Microsoft 365 Defender |
