Queries for the MicrosoftGraphActivityLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Frequent users endpoint callers

Gets list of apps and service principals calling users endpoint.

MicrosoftGraphActivityLogs
| where RequestUri has "users"
| summarize NumRequests=count() by AppId, ServicePrincipalId, UserId
| sort by NumRequests desc
| limit 100

Failed groups endpoint requests

Gets a list of failed requests to group entities, by apps and service principals.

MicrosoftGraphActivityLogs
| where ResponseStatusCode == 403
| where RequestUri has "groups"
| summarize UniqueRequests=dcount(RequestId) by AppId, ServicePrincipalId, UserId
| sort by UniqueRequests desc
| limit 100