Skip to main content

Azure Active Directory

You can ship logs available from the Microsoft Graph APIs with Logzio-MSGraph. Logzio-MSGraph is a self-hosted application.

Logzio-MSGraph supports these APIs:

  • Azure Active Directory audit logs
  • Azure Active Directory sign-in logs

There are many other APIs available through Microsoft Graph. If you don't see your API in the list, please open an issue at GitHub to request it.

Register a new app in Azure Active Directory

In the Azure portal, go to App registration and select New registration from the top menu.

Name your app and click Register.

Create a client secret

Choose Certificates & secrets from the side menu, and click on New client secret.

Add a Description. We recommend something specific, such as "secret for Logzio-MSGraph integration".

In the Expires list, choose Never.

Click Add.

Copy the value of the generated secret to your text editor. You'll need this later.


You won't be able to retrieve the secret's value after you leave this page.

Set the app's permissions

Choose API permissions from the side menu, and click Add a permission.

Select Microsoft Graph > Application permissions.

Select these items:

  • AuditLog.Read.All
  • Directory.Read.All

Click Add permissions.

Click Grant admin consent for Default Directory, and then click Yes to confirm.


Only Azure administrators can grant consent for Default Directory. If the Grant admin consent button is disabled, ask your Azure admin to update the setting for you.

Create a configuration file

Create a configuration yaml file (logzio-msgraph-config.yaml) for Logzio-MSGraph.

For a complete list of options, see the configuration parameters below.👇

accountToken: "<<LOG-SHIPPING-TOKEN>>"
listenerUrl: "<<LISTENER-HOST>>"

pullIntervalSeconds: 300
tenantId: "<<AD_TENANT_ID>>"
clientId: "<<APP_CLIENT_ID>>"
clientSecret: "<<APP_CLIENT_SECRET_VALUE>>"

logLevel: INFO


senderParams.accountTokenYour account token. Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.Required
senderParams.listenerUrlListener URL. Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS =
senderParams.fromDiskIf true, logs are stored on disk until they're shipped. (See If from-disk=true below). If false, logs persist in memory until they're shipped. (See If from-disk=false below.true
senderParams.senderDrainIntervalsHow often the sender should drain the queue, in seconds.30
azureADClient.tenantIdAzure Active Directory tenant ID. You can find this in the Overview section of the app you registered in step 1.Required
azureADClient.clientIdApplication client ID. You can find this in the Overview section of the app you registered in step 1.Required
azureADClient.clientSecretValue of the Application Client Secret you created in step 2.Required
azureADClient.pullIntervalSecondsTime interval, in seconds, to pull the logs with the Graph API.300
logLevelLog level for Logizo-MSGraph to omit. Can be one of: OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL.INFO
targetApiSpecifies types of api lists to run, each API provider has its own list. Must contain at least 1 list with 1 api in the list. Current supported providers: ADApis, ASCApis.Required

If fromDisk=true

senderParams.fileSystemFullPercentThresholdThreshold percentage of disk space at which to stop queueing. If this threshold is reached, all new logs are dropped until used space drops below the threshold. Set to -1 to ignore threshold.98
senderParams.gcPersistedQueueFilesIntervalSecondsTime interval, in seconds, to clean sent logs from the disk.30
senderParams.diskSpaceCheckIntervalTime interval, in milliseconds, to check for disk space.1000

If fromDisk=false

senderParams.inMemoryQueueCapacityInBytesThe amount of memory, in bytes, Logzio-MSGraph can use for the memory queue. Set to -1 for unlimited bytes.1024 * 1024 * 100
senderParams.logsCountLimitThe number of logs in the memory queue before dropping new logs. Set to -1 to configure the sender to not limit the queue by logs count.-1

Download and run Logzio-MSGraph

You can launch Logzio-MSGraph in a Docker container or as a standalone Java app.

In a Docker container:

docker run -d -v $(pwd)/logzio-msgraph-config.yaml:/config.yaml logzio/logzio-msgraph

Or to run as a standalone Java app, download the latest jar from the release page. Then run:

java -jar logzio-msgraph.jar logzio-msgraph-config.yaml

Logs collected by this integration will have the type Microsoft-Graph

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.