Office365 / Azure audit log collector

Office365 / Azure audit log collector


View on Github
Open Issues

Use cases:

  • Ad-lib log retrieval;
  • Scheduling regular execution to retrieve the full audit trail.


  • Subscribe to the audit logs of your choice through the subscription script;
  • Collect General, Exchange, Sharepoint, Azure active directory and/or DLP audit logs through the collector script;
  • Output to file or to a Graylog input (i.e. send the logs over a network socket)


  • Office365 tenant;
  • Azure application created for this script (see instructions)
  • AzureAD tenant ID;
  • Client key of the new Azure application;
  • Secret key (created in the new Azure application, see instructions);
  • App permissions to access the API’s for the new Azure application (see instructions);
  • Subscription to the API’s of your choice (General/Sharepoint/Exchange/AzureAD/DLP, run AuditLogSubscription script and follow the instructions).

I made a bunch of changes to this tool on its’ Github page to make it easier to use and more robust. Also added more detailed onboarding instructions.

If anyone has any questions or issues with it let me know on Github or here :slight_smile:


Thanks much for the update, @ddbnl . Let me know if you’d like the community help you announce your updates. If you’re interested, send me email at

As a heads up, I’ve rewritten the engine of the log collector in Rust, and in my own tests it’s been at least 10 times faster. In terms of using it everything is the same, it should just be faster.

I’ve also added a ‘timestamp’ field to every log (copy from a field called CreationTime present in every audit log) to make it easier to use with Graylog.

If you have a large tenant and had long run times it’s worth trying the latest executable.