How can I declare AuditLog.Read.All as a Delegated permission on my Azure AD V2 app?

2
votes

The documentation for the Microsoft Graph directoryAudits endpoint requires the AuditLog.Read.All as a required permission. It is listed as available for both Delegated and Application permission types.

However, I cannot add AuditLog.Read.All as a Delegated permission to my V2 registered app, either via apps.dev.microsoft.com (it does not show as an option in the Delegated permissions picker), or via the new Application Registrations endpoint in the Azure Portal (it throws an HTTP 400 error when attempting to save after selecting AuditLog.Read.All as a Delegated permission).

How do I register AuditLog.Read.All on my application as a delegated permission so that admin consent flow can be performed?

2
azure-active-directorymicrosoft-graph-api
Seems like a bug there, I suppose you could try to modify the application object directly via MS Graph, but I assume that would cause a 400 too.juunas
@juunas declaring it (via name) at time of API call works for that call, but to modify the manifest I need to know the scope GUID. My goal here is to get admin consent working for this delegated scope, so I need to get it declared in the manifest.Wes K.
Yeah, you can find the scope guid from the service principal for MS Graph API in your tenant :)juunas
@juunas thanks, found the scope ID that way... but editing manifest in the App Registration Portal directly fails with "The Required Resource Access specified in the request is invalid." :( Same error when patching via Graph.Wes K.
@RohitSaigal unfortunately switching to v1 is not an option for me. :(Wes K.

2 Answers

0
votes

Find your registered app in the App registrations (preview) in the Azure portal(this is for the v2 app), and then in the API Permission, you could find AuditLog.Read.All in the delegated permission for Microsoft Graph.

enter image description here

After you add and update permissions, you could get this:

enter image description here For this, you will need to log in an admin account to consent to this permission.

After the admin consents to this, you could find:

enter image description here

0
votes

It appears that changing signInAudience in the application manifest from AzureADandPersonalMicrosoftAccount to AzureADMultipleOrgs allows the AuditLog.Read.All to properly register.