Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Create auditLogQuery v1.0 not available and inaccurate results from pagination
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 9%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Vaughn Woerpel
0
Reputation points
Hello! I'm exploring the Graph API for querying the Unified Audit Log via the following endpoint:
POST /security/auditLog/queries
I've been discovering some discrepancies in two ways:
- Total # of documents returned is not the same over multiple queries against the same time range
- The v1.0 endpoint does not work, and returns an error on use despite it supposedly being GA according to this page.
v1.0 issue:
When querying the v1.0 endpoint via HTTP, it returns this error:
{"error":{"code":"BadRequest","message":"Resource not found for the segment 'auditLog'.","innerError":{"date":"2025-11-06T17:04:52","request-id":"27fe73a8-b304-4a64-85a4-1cc619021484","client-request-id":"27fe73a8-b304-4a64-85a4-1cc619021484"}}}
This somewhat seems to indicate that this API is not enabled. Is it not enabled globally, or is this a tenant setting? The tenant itself is able to have results returned via the beta API endpoint, and has all of the requisite permissions set. The Graph API explorer also seems to indicate that it is not available. Is the documentation page inaccurate on it's general availability?
Document count discrepancy
For the time being while v1.0 doesn't seem to work, I have been using the beta API endpoint documented here. This one seems to work for the most part, and lets me both create queries, and then paginate over those query results. The results of the queries however varies based on unknown factors.
For example, I created three queries, each over a duration of 30 days, totaling 90 days of auditLog data. When paginated over, these results first produced ~340,000 results. Paginating over the same set of completed queries for a second time yielded a different set of results, this time numbering ~400,000. There were additionally 40k results in the set of 340000 that were not present in the 400000, and 100k results from the 400000 that were not present in the 300000, meaning that neither of those sets were representative of the whole. Pagination was done using the Graph API provided @odata.nextLink parameter, and these pagination queries were executed within 10 minutes of one another against the exact same set of IDs. What are the Microsoft recommended steps for ensuring accurate and complete data is provided when querying the security auditLog endpoints?
Any help or information from MS personnel would be appreciated!
Microsoft Security | Microsoft Graph
{count} votes
-
Vaughn Woerpel 0 Reputation points
2025-11-20T17:10:04.4066667+00:00 Can I please have some sort of response/answer here? Looking for some clarification : )
-
Vaughn Woerpel 0 Reputation points
2025-12-10T18:34:33.99+00:00 Bump!
Sign in to comment
Sign in to answer