Can you please update the audit log record type list as the Content URI is returning a record with value 50 and There is nothing mentioned against the Enum: AuditLogRecordType - Type: Edm.Int32

ListViewed and other sharepoint list related events(listcreated,list updated) are missing from the schema

are these documented somewhere?

are there others missing?

We need to know each of the following content types is associated with which “AuditLogRecordType”.
It would be really helpful if you could add that information (content types) to the “AuditLogRecordType” list in this document.
• Audit.AzureActiveDirectory
• Audit.Exchange
• Audit.SharePoint
• Audit.General (includes all other workloads not included in the previous content types)
• DLP.All (DLP events only for all workloads)

Hello,

I've been trying to use communications api to present messages and issues to our servicedesks.

To be frank, i can't present them with message text without heavilifting transformations to standardise the format as currently there is no standard format in there.
Concent can be raw text, html or pseudo markdown. There are even what looks like standard sections that are not allways formated the same way.

Having MessageText in a standard format is a key vlocking factor to using these apis for us as it requires much operations to clean them up.

Cédric

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Please provide a description and information in the readme so that we can understand the purpose of this repo.

Currently, the audit log does not include the "ListName/ListUrl/IsHiddenList/IsDocLib" schema.
If it is correct behavior, these schema should be removed from the document.

Instead of:

It should be...

The audit log of the list operation is below.

"AppAccessContext": {
"AADSessionId": "144a2dd6-0bfa-4dd7-b628-09584xxxx",
"CorrelationId": "74ee7ba0-7005-2000-cd9c-31f5aeb576e0",
"UniqueTokenId": "0q1nEFqVJEqeeyAdxxxx"
},
"CreationTime": "2022-11-25T03:00:13",
"Id": "79666399-e45f-4c4e-d901-08dace912c8f",
"Operation": "ListCreated",
"OrganizationId": "6a588f65-bc20-4c65-a9d8-f40d363xxxx",
"RecordType": 36,
"UserKey": "i:0h.f|membership|[email protected]",
"UserType": 0,
"Version": 1,
"Workload": "SharePoint",
"ClientIP": "126.103.155.76",
"ObjectId": "https://xxx.sharepoint.com/sites/xxx/Lists/060feead-ce74-4629-b6ca-8d562bc42f5f",
"UserId": "[email protected]",
"CorrelationId": "74ee7ba0-7005-2000-cd9c-31f5aeb576e0",
"EventSource": "SharePoint",
"ItemType": "List",
"ListId": "060feead-ce74-4629-b6ca-8d562bc42f5f",
"Site": "3a846117-48ae-4f25-ae7d-5370190d0447",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
"WebId": "43e210ff-68ca-487c-91b1-037f4965ad7a",
"CustomizedDoclib": false,
"FromApp": false,
"ItemCount": 0,
"ListBaseTemplateType": "100",
"ListBaseType": "GenericList",
"ListColor": "",
"ListIcon": "",
"Source": "Site",
"TemplateTypeId": "00000000-0000-0009-0000-111111111111",
"ListTitle": "060feead-ce74-4629-b6ca-8d562bc42f5f"

https://manage.office.com/api/v1.0/_tenantname_.onmicrosoft.com/ServiceComms/Messages?ID=_incidentid_

Where tenantname is our tenant name and incidentid is the incident id I want to filter on.

This should return me results for the specified incident ID only however, it returns all results. The same is true for the other filters too.

Following the steps https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis to complete Oauth flow and running into this error:

AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.

We are not reusing the code, the secret and cert on the app are valid and have not expired.
This worked previously with this app and only started erroring today. Has something change with this flow?

Hello All,

This is not the issue but I haven't found the full list of services returned by /Services method of Service Communication API.

Please let me know the full list of services with its id.

Thanks in advance.

Hi,

We're trying to figure out what is the purpose of the Microsoft Teams schema (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#microsoft-teams-schema).
The description is quite generic,

"Extends the Common schema with the properties specific to all Microsoft Teams events."

and we can't find any content on our tenant.

Does anybody know what it's supposed to contain/ be used for ? Is there any roadmap of adding Teams content to the API ?

Regards

The values of the "Workload" and "WorkloadDisplayName" are misplaced for "Get Messages" (/Messages)

The sample states:
"Workload": "Exchange Online",
"WorkloadDisplayName": "Exchange",

But in the real world it should be:
"Workload": "Exchange",
"WorkloadDisplayName": "Exchange Online",

Get Messages
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference#get-messages

I tested on Postman

Enum works fine

String type doesn't work

Thank you!

The documentation states that startTime and endTime:

1. are optional and if not provided the last 24 hours time range will be used
2. both must be specified or both omitted

Currently what I observe is:

1. startTime or endTime must be provided otherwise the response is a 400 HTTP error with following body:

{
    "error": {
        "code": "String reference not set to an instance of a String.\r\nParameter name",
        "message": "s"
    }
}

2. The API can be called with only startTime or endTime specified until they respect the 7 days constraint

Trying to GET https://manage.office.com/api/v1.0/williams.com/ServiceComms/Messages
Gave my registered App the permission to read activity and service health.
The response only includes Service Health records, not Message Center records.

Besides the error list at the end, there are many responses that can be returned upon calls that aren't documented. The one that bugs me the most is:
"error": { "code": "StartSubscription [TenantId=5b9a99a5-************-4279ec819ed6,ContentType=Audit.Exchange,ApplicationId=de113d70-************-1790e19d3016,PublisherId=00000000-0000-0000-0000-000000000000] failed. Exception", "message": "Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 5b9a99a5-*****************-4279ec819ed6 does not exist.\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.GetSubscriptionTableClientForTenant(Guid tenantID, Boolean throwIfTenantNull)\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext()" }

when making this request:
https://manage.office.com/api/v1.0/5b9a99a5-************-4279ec819ed6/activity/feed/subscriptions/start?contentType=Audit.Exchange Headers: Authorization: Bearer {{access_token}} Content-Type: application/x-www-form-urlencoded
I'm not sure if I'm getting this because of this request or because of the initial request (the one I'm requesting the access token). Either way, this response seems to make no sense since I already got the token with this tenant.

I didn't find any mention for this message and I have no lead on how to solve it.
Please help
Thanks

Hi,

We have followed https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference to retrieve content from Office 365 Management API and we are able to retrieve information from all mails quarantined due to Malware or Phishing, but those due to Spam (Policy Type - Hosted content filter policy) is not possible to retrieve them.

Is there any other ContentType that should be used or some configuration that is required to be able to retrieve them?

Thanks!

If I access https://manage.office.com/api/v1.0/mycompany.com/ServiceComms/CurrentStatus, for example, with a Client ID that hasn’t been granted access, I’ll get a stack trace (and a status code of 500).

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.ThrowHelper.ThrowKeyNotFoundException()
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Microsoft.Office365ServiceComms.Common.OAuthAuthorizeAttribute.OnAuthorization(HttpActionContext actionContext)
   at System.Web.Http.Filters.AuthorizationFilterAttribute.OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)

I would expect a 403, and some helpful message.

I have logs with the following RecordTypes, but their values aren't listed under the AuditLogRecordType

I was able to find that RecordType 187 through commit 73d0268, but no luck for the others.

+----------+------------------------+
|RecordType|                Workload|
+----------+------------------------+
|       126|       Microsoft365Group|
|       134|SecurityComplianceCenter|
|       155|       ComplianceManager|
|       187|               PowerApps|
|       205|              SharePoint|
|        79|      PowerPlatformAdmin|
+----------+------------------------+

The link to the ADAL libraries point to obsolete documentation, it would be more helpful if it pointed to somewhere like https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries

The following page does not have Endpoint DLP schema information, even though we can get Endpoint DLP logs (device activity log) using Office 365 Management Activity API.

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
https://github.com/MicrosoftDocs/office-365-management-api/blob/live/office-365-management-api/office-365-management-activity-api-schema.md

For example, we can get an Endpoint DLP log (device activity log) like below (some values are masked):

 {
    "SourceLocationType": 1,
    "Platform": 1,
    "Application": "EXCEL.EXE",
    "FileExtension": "xlsx",
    "DeviceName": "device01.corp.contoso.com",
    "MDATPDeviceId": "1e82df73acf2c509bc12b4d7bcc4a394be6aa67c",
    "FileSize": 0,
    "FileType": "Microsoft Excel",
    "Hidden": false,
    "ObjectId": "C:\\Users\\User01\\Desktop\\~$test.xlsx",
    "UserId": [email protected],
    "ClientIP": "x.x.x.x",
    "Id": "a70cb637-7b6e-4002-8170-eb66ce46f28b",
    "RecordType": 63,
    "CreationTime": "2021-03-04T14:06:26",
    "Operation": "FileDeleted",
    "OrganizationId": "70c32610-3071-4013-8607-d338463e92e4",
    "UserType": 0,
    "UserKey": [email protected],
    "Workload": "Endpoint",
    "Version": 1,
    "Scope": 1
  }

In this article https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis
you are using retired azure portal. please, update it

look on a latest portal https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant

So I have some subscriptions to content from an app I've created.

[ { "contentType": "Audit.AzureActiveDirectory", "status": "enabled", "webhook": null }, { "contentType": "Audit.Exchange", "status": "enabled", "webhook": { "authId": "rvUCHW2N5u1H0mjo7XPOL0JCSum68g", "address": "https://api.elevatesecurity.com/customer-integrations/webhook/elevate/fny5DEz2qSK4pIqfTYykscFi27xTO7", "expiration": "", "status": "enabled" } }, { "contentType": "Audit.General", "status": "enabled", "webhook": { "authId": "FU4hIefAL5Tf98NJnSLbzkunYgEyBw", "address": "https://api.elevatesecurity.com/customer-integrations/webhook/elevate/diDF58FMDShIx5faEl78m4HnUIQb9N", "expiration": "", "status": "enabled" } }, { "contentType": "Audit.SharePoint", "status": "enabled", "webhook": { "authId": "aAwTBrtOJ10Ur0m-bKU-wnLL51PUFQ", "address": "https://api.elevatesecurity.com/customer-integrations/webhook/elevate/zyZtjAFYmX6QgXqbmiRWpuo9YMUtDT", "expiration": "", "status": "enabled" } }, { "contentType": "DLP.All", "status": "enabled", "webhook": null } ]

For some reason aside from the initial validation ping to the webhook address, I never get any more traffic to the webhook and at some point the address will unsubscribe.

I guess my questions are:

What are causes for an un subbing for webhook address?

Can I check for outbound webhook traffic to see if content was pushed to me?

Can a tenant have multiple webhook addresses or subscriptions to content open?

Is there an issue on your end?

Management Activity API Reference (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference) in the 'Activity API operations' section provides URLs for Enterprise, GCC, GCC High, and DoD subscription plans.
But not for the national clouds, Germany and China.

Observed result: URLs for Enterprise, GCC, GCC High, DoD
Expected result: URLs for Enterprise, GCC, GCC High, DoD, Germany, and China

We are seeing the following values being returned for AuditLogRecordType but they are not contained in the AuditLogRecordType Table

Missing values:
92
131

Could the table be updated with those missing values if possible?

Hello,
The sample schemas for Get Current Status and Get Historical Status are incorrect.

"StatusDisplayName" is new

• Old: StatusDate / New: "StatusTime"

• Old: FeatureGroupStatusCollection / New: "FeatureStatus"

"FeatureStatus" collection includes the following new:

• "FeatureDisplayName"
• "FeatureName"
• "FeatureServiceStatus"
• "FeatureServiceStatusDisplayName"

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference#sample-response-1
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference#sample-response-2

Current response provided (snipit sample and not full):
 "Id": "Exchange",
      "IncidentIds": [
        "EX231425",
        "EX229923"
      ],
      "Status": "ServiceDegradation",
      "StatusDisplayName": "Service degradation",
      "StatusTime": "2020-12-27T16:13:24.1214338Z",
      "Workload": "Exchange",
      "WorkloadDisplayName": "Exchange Online"
    },
    {
      "FeatureStatus": [
        {
          "FeatureDisplayName": "Service",
          "FeatureName": "service",
          "FeatureServiceStatus": "ServiceOperational",
          "FeatureServiceStatusDisplayName": "Normal service"
        },
        {
          "FeatureDisplayName": "Form functionality",
          "FeatureName": "functionality",
          "FeatureServiceStatus": "ServiceOperational",
          "FeatureServiceStatusDisplayName": "Normal service"
        },
        {
          "FeatureDisplayName": "Integration",
          "FeatureName": "integration",
          "FeatureServiceStatus": "ServiceOperational",
          "FeatureServiceStatusDisplayName": "Normal service"
        }
      ],
"Id": "Lync",
      "IncidentIds": [],
      "Status": "ServiceOperational",
      "StatusDisplayName": "Normal service",
      "StatusTime": "2020-12-27T16:13:24.1214338Z",
      "Workload": "Lync",
      "WorkloadDisplayName": "Skype for Business"
    },
    {
      "FeatureStatus": [
        {
          "FeatureDisplayName": "Other",
          "FeatureName": "MicroFLowOther",
          "FeatureServiceStatus": "ServiceOperational",
          "FeatureServiceStatusDisplayName": "Normal service"
        },
        {
          "FeatureDisplayName": "Service and web access issues",
          "FeatureName": "Service",
          "FeatureServiceStatus": "ServiceOperational",
          "FeatureServiceStatusDisplayName": "Normal service"
        }
      ],

I'm working on a project that utilizes the Office 365 Management API and deserializes the JSON that is returned by the API to .Net Core objects in order report on O365 audit metrics. When capturing data today, I encountered a workflow that I hadn't seen before titled "SkypeForBusiness" and my application threw an exception because it didn't know what to do with some the serialized data. I went back to see if I missed it when I was creating objects from the "Office 365 Management Activity API schema" documentation and didn't see a reference it there. Here is what the JSON object for that workflow looks like:

{
"CreationTime": "",
        "Id": "",
        "Operation": "",
        "OrganizationId": "",
        "RecordType": 23,
        "ResultStatus": "",
        "UserKey": "",
        "UserType": "",
        "Version": "",
        "Workload": "SkypeForBusiness",
        "UserId": "",
        "SkypeForBusinessEventType": "",
        "TenantName": "",
        "CmdletVersion": "",
        "ExternalAccess": false,
        "ObjectName": "",
        "Parameters": [
            {
                "Name": "",
                "Value": ""
            }
        ]
    }

Edit 2020-01-13, 12:00 EST

I looked at the JSON object and created an object from it. Thought I would share this information with you in case it helps you update the documentation:

Skype for Business Workflow

        public string SkypeForBusinessEventType { get; set; }
        public string TenantName { get; set; }
        public bool ExternalAccess { get; set; }
        public string ObjectName { get; set; }

Properties in the Skype for Business schema that are shared with Security and Compliance

        public List<KeyValuePair<string, string>> Parameters { get; set; }
        public string CmdletVersion { get; set; }

Additional Information

The property "Parameters" is listed as Edm.String in the Security and Compliance schema but the description sounds like it could be a list of <KeyValuePair<string,string>>. If not, it is a string in the Security and Compliance workflow and a list of KeyValuePair<string, string> in Skype for Business.

Office 365 Advanced Threat Protection and Threat Investigation and Response schema
Email message events
Policy Self.Policy
https://github.com/MicrosoftDocs/office-365-management-api/blob/live/office-365-management-api/office-365-management-activity-api-schema.md#policy-type-and-action-type

There are 14 policies listed and defined.
Currently pulling logs under our account into our SIEM. I am seeing 2 additional policies policy 15 and Policy 17 which tells me there might be more policies defined for this table then are published.
How can I get a listing of all active policies so I know what policies these are relating to in our SIEM.

Hello!

I've started a DLP.ALL subscription within my tenant, but I'm unable to get the ContentUri for retrive the content of this subscription.

I waited more than the 12 hours that have been stated on the documentation but nothing changed.

When trying to do a GET against the 'https://manage.office.com/api/v1.0/My-Tenant-GUID/activity/feed/subscriptions/content?contentType=DLP.ALL' I get a statusCode 200 but a empty "body" (where the ContentUri should be) as stated below:

'{
"statusCode": 200,
"headers": {
"Pragma": "no-cache",
"Cache-Control": "no-cache",
"Date": "Thu, 25 Mar 2021 13:44:37 GMT",
"Server": "Microsoft-IIS/10.0",
"X-AspNet-Version": "4.0.30319",
"X-Powered-By": "ASP.NET",
"Content-Length": "2",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1"
},
"body": []
}'

There is any way to solve this? Thanks!

We had published the schema for attack simulation events (Recordtype 85,88.218) a while back, and it was accessible via below link.
https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#attack-sim-schema

However, looks like it has been removed in some PR, and we need to restore it.

Hi Team, I am Albert Fang from the APAC M365 support team.
We find that 'PrivacyInsights' has been changed to PrivacyDataMinimization in the codes.
Please kindly help us update the document.
Here is the reference defined in the codes:

return a 400 bad request stating the tenenant ID is invalid when tenant is referenced with domain in the path.
Main issue though here is that the docs specifically use the domain and not the guid.
GET https://manage.office.com/api/v1.0/{Domain}/ServiceComms/Services => 400 Bad Request
GET https://manage.office.com/api/v1.0/{GUID}/ServiceComms/Services => 200 OK

on other endpoints for example /ServiceComms/Messages both approaches works fine.
https://manage.office.com/api/v1.0/{Domain}/ServiceComms/Messages => 200 OK
https://manage.office.com/api/v1.0/{GUID}/ServiceComms/Messages => 200 OK

The date range filters are not working with the List Available Content API call ( https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#list-available-content ). The call is only returning data for the current day no matter how the filters are constructed.

I am currently maintaining an Office 365 app registered in an Azure Active Directory. Recently I came across an issue while integrating the app for another AD tenant. The error was AADSTS650051: Application '<app-guid>' is requesting permissions that are either invalid or out of date. After removing API permission for ActivityReports.Read, everything started working again.

After fixing the issue, I searched a lot on whether this permission is still valid. But I could not find a definitive answer or any reference for this even. At last I found this permission to be present in scope value of the below sample response.

https://github.com/MicrosoftDocs/office-365-management-api/blob/live/office-365-management-api/get-started-with-office-365-management-apis.md#sample-response

So, my question is - is the API permission still valid? Because it is not presented as an option in API permissions suitable for adding on an application. Added to that the behavior I described in at the beginning of this issue seems like the answer will be negative.

In that case, should this be present in the docs? Is there any place where API permission deprecation status can be checked along with API reference and needed API permission for that API?

I am trying to get the metadata from Office 365 Management APIs. When I a make a call to the following Url

resource = "https://manage.office.com/api/v1.0/tenant-id/ServiceComms/CurrentStatus"

I get the data and the first line contains the following information

@odata.context":"https://office365servicecomms-prod.cloudapp.net/api/v1.0/tenant-id/$metadata#CurrentStatus"

From this, I wanted to retrieve the metadata Information. But it's not working and I am getting an internal server error

      string resource = "https://office365servicecomms-prod.cloudapp.net/api/v1.0/tenant-id/$metadata#CurrentStatus";
        using (HttpClient httpClient = new HttpClient())
        {
            httpClient.Timeout = new TimeSpan(0, 2, 0);
            httpClient.DefaultRequestHeaders.Authorization =
                new AuthenticationHeaderValue("Bearer", _authResult.AccessToken);

            httpClient.DefaultRequestHeaders.Add("Accept", "application/json");

            HttpResponseMessage response =
                await httpClient.GetAsync(resource);
        }

In response, I get the Status code 500 Internal Server Error. I don't understand what I am doing wrong here. Anyone knows how to get the metadata from Office 365 Service Communications API

@markjjo
@andreighita
@nschonni

Hi,

I have created an app in Azure given the permissions to the Office 365 management activity API and also created the Microsoft Office 365 Reporting Add-on in Splunk. The results when searching is not covering the fields i want. I want to get the subject of the email which Defender for O365 has triggered an alert on. Is the API sending the data? If yes, where is the fields stuck? I'm trying to do the searches outside the applicatin with a index=* search and I still don't get all the schemas listed in https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Br,

Robar

Hello,
We are collecting Office365 logs using the Management API and for the email message events, we are seeing logs without the Policy and PolicyAction fields. But the documentation states that these fields are mandatory.
Microsoft support told us that there are situations were these fields can be missing, particularly for messages treated and actions taken by Exchange Online Protection.
Could you clarify the documentation on this topic ?
Antoine

Hi.
When I use o365 management api to collect audit logs, i receive intermittent 500 internal server error.
Sometimes number of error is 3, sometimes it's 30.
I implemented retry logic on the client side app.
I'd like to know intermittent 500 error occurs under normal circumstances.
Thanks.

In the docs we found that there are two fields that have the same name, "Policy", yet different types. This is under the Microsoft Defender for Office 365 and Threat Investigation and Response schema - Email Message table.

The sample response provided for the service endpoint is incorrect. The FeatureNames array of strings, is now Features, an array of objects.

Instead of:
{ "Id": "Exchange", "DisplayName": "Exchange Online", "FeatureNames": [ "Sign-in", "E-Mail and calendar access", "E-Mail timely delivery", "Management and Provisioning", "Voice mail" ] }
...it should be...
{ "Id": "Exchange", "DisplayName": "Exchange Online", "Features": [ { "DisplayName": "Networking Issues", "Name": "Networking Issues" }, ... ] }

The numeric values for IdentityType are not provided, which complicates log analysis, as there are only numbers available there.

I believe the enum values should be from 0 to 5. Please add them to this document.

Thanks!

The Identity Type table has "Member Name" and "Description" columns, but does not list the associated numeric values which is the identity type value provided in the messages.

"Actor":[{"ID":"[email protected]","Type":5},{"ID":"1XXXXXX","Type":3},{"ID":"User_XXXXXX","Type":2},{"ID":"XXXXX","Type":2},{"ID":"User","Type":2}]

The call to content? doesn't seem to work with the dates parameters.

This line (copied from article) : Invoke-WebRequest -Method GET -Headers $headerParams -Uri https://manage.office.com/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=Audit.SharePoint &startTime=2017-10-13T000:00&endTime=2017-10-13T11:59

Generates this error :
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At line:1 char:199

I need to fetch all email data from the threat explorer view. Currently what I do is search the email in the filter and use the export email list

I get output in the format of a CSV file having data headers mentioned below with relevant data of the respective emails:
Email date (UTC),Recipients,Subject,Sender,Sender IP,Sender domain,Delivery action,Latest delivery location,Original delivery location,Internet message ID,Network message ID,Mail language,Original recipients,Additional actions,Threats,File threats,File hash,Threats / Detection technologies,Final system override,Tenant system override(s),User system override(s),Directionality,URLs,Sender tags,Recipient tags,Connector

Is there a way I can fetch these data using API? If yes, what is the exact API?

Note: I have also tried Microsoft management activity API but I am super confused about which specific schema to be used here in this case. I see that there are 5 schemas: Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All

Also if it is Audit.General, which specific product schema are we referencing?

I am looking exactly at the data which gets the fetch all email data from the threat explorer which I currently use the export email list option.
Also, I do not see these in the schema responses as per this link Managmenet API schema:
"Email date (UTC),Recipients,Subject,Sender,Sender IP,Sender domain,Delivery action,Latest delivery locationOriginal recipients,Additional actions,Threats,File threats,File hash,Threats Detection technologies,Final system override,Tenant system override(s),User system override(s),Directionality"

Need an update on "Specify the permissions your app requires to access the Office 365 Management APIs" section:
https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis#specify-the-permissions-your-app-requires-to-access-the-office-365-management-apis
Step 3: The Office Management APIs now appear in the list of applications to which your application requires permissions. Under both Application Permissions and Delegated Permissions, select the permissions your application requires. Refer to the specific API reference for more details about each permission.
Note : There are currently four unused permissions related to activity reports and threat intelligence that will be removed in the future. Do not select any of these permissions because they are unnecessary.

Should be updated as below:
Step 3: The Office Management APIs now appear in the list of applications to which your application requires permissions. Under both Application Permissions and Delegated Permissions, select the permissions your application requires. Refer to the specific API reference for more details about each permission.
Permissions Details:
For Activity Feed (O365 Management Activity API)
ActivityFeed.Read : Read Activity data for your organization.
ActivityFeed.ReadDlp : Read DLP policy events including detected sensitive data.
For Service Health (Service Communication API)
SerivceHealth.Read : Read service health information for your organization.

The screen shots are from the old version of Azure, they should be updated to reflect the current portal.

Hi Team,
Is the Service Communications API available in GCCH tenants? I can't recall if there was a note in the article in the past that indicated that it wasn't.

Service Communications API

The following page does not have Dynamics 365 schema information, even though we can get logs of Dynamics using Office 365 Management Activity API.

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
https://github.com/MicrosoftDocs/office-365-management-api/blob/live/office-365-management-api/office-365-management-activity-api-schema.md

For example, we can get a Dynamics log like below (some values are masked):

  {
    "CreationTime": "2019-12-24T06:01:09",
    "Id": "11111111-42f2-43ca-a38c-1b4c737453c2",
    "Operation": "CrmDefaultActivity",
    "OrganizationId": "11111111-a4ac-4fae-bb88-4549cb43e0f2",
    "RecordType": 21,
    "ResultStatus": "Success",
    "UserKey": "Unknown",
    "UserType": 0,
    "Version": 1,
    "Workload": "CRM",
    "ClientIP": "52.163.88.69:50749",
    "ObjectId": "UpdateRibbonClientMetadata ",
    "UserId": "Unknown",
    "CrmOrganizationUniqueName": "orgc111a6c1",
    "Fields": [],
    "InstanceUrl": "https://contoso.crm5.dynamics.com/",
    "ItemType": "Dynamics365",
    "ItemUrl": "https://contoso.crm5.dynamics.com/",
    "UserAgent": "crm-bts-jobs/1.0",
    "CorrelationId": "00000000-0000-0000-0000-000000000000",
    "EntityId": "00000000-0000-0000-0000-000000000000",
    "EntityName": "Unknown",
    "Message": "UpdateRibbonClientMetadata",
    "PrimaryFieldValue": "",
    "Query": "",
    "QueryResults": "",
    "ServiceContextId": "00000000-0000-0000-0000-000000000000",
    "ServiceContextIdType": "",
    "ServiceName": "Dynamics365",
    "SystemUserId": "11111111-aed6-428b-adfc-a441cb413dd3",
    "UserUpn": ""
  }

But, there is no description of CrmOrganizationUniqueName or InstanceUrl on the documentation.

Do you have any plan to update the documentation to include Dynamics schema information?

The error code 'AF20024' for the Office 365 Management API is not in the documentation.

I think you should mention it, because it can happens.

https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#errors

proposed change

Add to the file 'office-365-management-activity-api-reference.md' the following line in the markdown table:
|AF20024|The subscription is already enabled. No property change.|

Not sure why this http method is being used to hit my end points and is being rejected because of the method used.

I see them in my logs coming from a Microsoft IP (217.182.175.162 ). I don't see anywhere in the documentation mentioning these requests.