Skip to main content

Office 365 Management API

The Office 365 Management API provides access to various Office 365 management data including audit logs, service health information, and activity data via REST APIs. The Office 365 Management API connector enables you to retrieve audit log subscriptions, start subscriptions for specific content types, and fetch audit log content for compliance and security monitoring. This connector is particularly useful for applications that need to extract audit logs, monitor Office 365 activity, analyze security events, or integrate compliance data with SIEM and security systems.

Office 365 Management API icon

Power end-to-end data operations for your Office 365 Management API API with Nexla. Our bi-directional Office 365 Management API connector is purpose-built for Office 365 Management API, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Office 365 Management API or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Office 365 Management API workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

Before creating an Office 365 Management API credential, you'll need to register an application in Azure Active Directory (Azure AD) and obtain OAuth 2.0 credentials (Client ID, Client Secret, and Tenant ID). The Office 365 Management API uses OAuth 2.0 client credentials flow for API authentication and requires the ActivityFeed.Read permission.

To obtain Office 365 Management API credentials:

  1. Log in to the Azure Portal with an account that has permissions to register applications.

  2. Navigate to Azure Active Directory > App registrations (or Microsoft Entra ID > App registrations in newer portals).

  3. Click New registration to create a new application registration.

  4. Enter a name for your application (e.g., "Nexla Office 365 Management API Integration") and select the supported account types. For most integrations, select Accounts in this organizational directory only.

  5. Click Register to create the application.

  6. After registration, you'll be taken to the application overview page. Note the Application (client) ID and Directory (tenant) ID - you'll need these for your credential.

  7. Navigate to Certificates & secrets in the left menu, then click New client secret.

  8. Enter a description for the secret and select an expiration period. Click Add to create the secret.

  9. Important: Copy the Value of the client secret immediately, as it will only be displayed once. Store it securely, as you'll need it to authenticate API requests.

  10. Navigate to API permissions in the left menu. Click Add a permission and select Office 365 Management APIs.

  11. Select Application permissions (not Delegated permissions) and add the required permission:

    • ActivityFeed.Read - For reading Office 365 activity feed data (required for Office 365 Management API)
  12. Click Grant admin consent to grant the permission to your application. This step is required for application permissions.

Office 365 Management API uses OAuth 2.0 client credentials flow (2-legged OAuth), which means you don't need user authorization. The Client ID, Client Secret, and Tenant ID are used to obtain an access token directly. The application must have the ActivityFeed.Read permission granted and admin consent provided.

For detailed information about Office 365 Management API authentication and Azure AD app registration, refer to the Office 365 Management Activity API Reference.

Authenticate

Credentials required

OAuth2 client credentials for Office 365 Mgmt Activity API via Azure AD App needing 'ActivityFeed.Read' permission.

FieldRequiredSecretDescription
Client IDYesNoThe Application (client) ID of your registered Azure AD application.
Client SecretYesYesThe client secret value generated for your Azure AD application.
Tenant IDYesNoThe Directory (tenant) ID of your Azure AD where the application is registered.

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – Office 365 Management API

MicrosoftOffice365MgmtCred.png
  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  2. In the Client ID field, enter the Application (client) ID that you obtained from your Azure AD application registration. This is the unique identifier for your registered application.

  3. In the Client Secret field, enter the Client Secret value that you obtained from your Azure AD application registration. This is the secret value generated in the Certificates & secrets section.

    The Client Secret is sensitive information and should be kept secure. If you've lost your Client Secret, you'll need to generate a new one in your Azure AD application registration. Client secrets expire based on the expiration period you set when creating them.

  4. In the Tenant ID field, enter the Directory (tenant) ID that you obtained from your Azure AD application registration. This is the unique identifier for your Azure AD tenant where the application is registered.

  5. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.

Use as a data source

To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Office 365 Management API connector tile, then select the credential that will be used to connect to the Office 365 Management API, and click Next; or, create a new Office 365 Management API credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Office 365 Management API endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.

List Active Subscriptions

This endpoint retrieves a list of current audit log subscriptions for the tenant. Use this endpoint when you need to check which content types are currently being monitored, verify subscription status, or list active subscriptions.

  • This endpoint automatically retrieves all active subscriptions for your Office 365 tenant. No additional configuration is required beyond selecting this endpoint template.

The List Active Subscriptions endpoint uses GET requests to retrieve subscription information from the Office 365 Management API. The endpoint returns information about active subscriptions including content types and subscription status. For more information about the List Active Subscriptions endpoint, refer to the Office 365 Management API Documentation.

Start Subscription

This endpoint starts monitoring a specific audit log content type. This must be done before retrieving content for that type. Use this endpoint when you need to enable monitoring for a specific content type, activate audit log subscriptions, or start collecting audit data.

  • Enter the content type to monitor in the CONTENT_TYPE field. Common content types include Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All. Refer to the Office 365 Management API documentation for the complete list of available content types.

The Start Subscription endpoint uses POST requests to activate monitoring for a specific content type. After starting a subscription, Office 365 will begin generating content blobs for that content type, which can then be retrieved using the Fetch Audit Log Content endpoint. For more information about the Start Subscription endpoint, refer to the Office 365 Management API Documentation.

Fetch Audit Log Content

This endpoint retrieves audit log records for a specific content type and time range. It first finds the relevant content blob URLs and then downloads and outputs the JSON records contained within those blobs. Use this endpoint when you need to extract audit logs, analyze security events, or retrieve compliance data.

  • Enter the content type to retrieve in the CONTENT_TYPE_LOC field. This should match a content type that has been started using the Start Subscription endpoint. Common content types include Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All.
  • Enter the start time for the audit log retrieval in ISO 8601 format (e.g., 2024-01-01T00:00:00Z) in the START_TIME field. This specifies the beginning of the time range for retrieving audit log content.
  • Enter the end time for the audit log retrieval in ISO 8601 format (e.g., 2024-01-31T23:59:59Z) in the END_TIME field. This specifies the end of the time range for retrieving audit log content.

The Fetch Audit Log Content endpoint uses a two-step process: first retrieving content blob URLs, then downloading and parsing the JSON records from those blobs. The endpoint supports pagination through NextPageUri and automatically handles both steps. For more information about the Fetch Audit Log Content endpoint, refer to the Office 365 Management API Documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.

Manual configuration

Office 365 Management API data sources can also be manually configured to ingest data from any valid Office 365 Management API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.

Office 365 Management API endpoints typically follow the pattern https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/{resource}, where {tenant_id} is your tenant ID, and return data in JSON format. The Authorization header with Bearer token is automatically included from your credential; for POST requests (e.g., starting a subscription), Content-Type is typically set to application/json;charset=UTF-8. For detailed information about Office 365 Management API endpoints, refer to the Office 365 Management Activity API Reference.

Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Office 365 Management API data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.