Microsoft Graph Input

The Microsoft Graph input supports collecting email logs, Microsoft Entra ID logs, directory, provisioning, and sign-in audit logs using Microsoft Graph APIs. See the official documentation for more information about the Microsoft Graph API.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have an existing Entra ID account. Follow the official Microsoft instructions to set up a new Azure App and generate the necessary credentials for authentication. During the app setup, note the Client ID, Tenant ID, and Client Secret, which are required when configuring the input in Graylog.

  • API user must be defined with the following permissions for the supported log types:

    Log Type Permissions License Requirements
    Email Logs User.ReadAll, User.ReadBasic.All, Mail.Read, Mail.ReadBasic, Mail.ReadBasic.All, Mail.ReadWrite Microsoft Office 365 Business
    Directory Audit logs AuditLog.Read.All, Directory.Read.All, Directory.ReadWrite.All  
    Sign In Audit logs AuditLog.Read.All At least Microsoft Entra P1 or P2
    Provisioning Audit logs AuditLog.Read.All  

Graylog Input Configuration

When launching this input from the Graylog Inputs tab, configure the following field values:

  • Input Name: Provide a unique name for your new input.

  • Tenant ID: Provide tenant ID of Microsoft Entra ID account.

  • Client ID: Provide client ID of registered application in Microsoft Entra ID account.

  • Client Secret: Provide secret key of registered application in Microsoft Entra ID account.

  • Subscription Type: Select your Azure AD subscription plan for your organization.

  • Log Types to Collect: The log types to collect. By default, all the log types are selected. At least one log type must be selected.

  • Polling Interval: Determines how often (in minutes) Graylog checks for new data in Graph APIs. The shortest allowable interval is 5 minutes.

  • Read Time Offset (minutes): How long Graylog will wait for logs to become available in the Microsoft Graph API before attempting to read them.

  • Enable Throttling: If enabled, no new messages are read from this input until Graylog catches up with its message load.