Microsoft Office Integration

Microsoft Office 365 Management Activity API

The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs. It enables customers and partners to create or enhance operations, security, and compliance-monitoring solutions. The API supports subscription management, content retrieval, webhook notifications, and DLP sensitive type lookups across content types including Azure AD, Exchange, SharePoint, and General audit logs.

GitHub OpenAPI

Documentation

📖
Documentation
https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/microsoft-office-integration/refs/heads/main/openapi/microsoft-office-management-activity-api-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/microsoft-office-integration/refs/heads/main/json-schema/subscription.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/microsoft-office-integration/refs/heads/main/json-schema/activity-record.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/microsoft-office-integration/refs/heads/main/json-schema/content-blob.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/microsoft-office-integration/refs/heads/main/json-ld/microsoft-office-integration-context.jsonld

OpenAPI Specification

microsoft-office-management-activity-api-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Microsoft Office Integration Microsoft Office 365 Management Activity API
  description: >-
    The Office 365 Management Activity API provides information about various
    user, admin, system, and policy actions and events from Office 365 and
    Microsoft Entra activity logs. Customers and partners can use this
    information to create new or enhance existing operations, security, and
    compliance-monitoring solutions for the enterprise. The API relies on
    Microsoft Entra ID and the OAuth2 protocol for authentication and
    authorization.
  version: 1.0.0
  contact:
    name: Microsoft
    url: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference
servers:
  - url: https://manage.office.com/api/v1.0/{tenantId}/activity/feed
    description: Enterprise plan
    variables:
      tenantId:
        description: The GUID of the tenant
        default: '{tenant_id}'
  - url: https://manage-gcc.office.com/api/v1.0/{tenantId}/activity/feed
    description: GCC government plan
    variables:
      tenantId:
        description: The GUID of the tenant
        default: '{tenant_id}'
  - url: https://manage.office365.us/api/v1.0/{tenantId}/activity/feed
    description: GCC High government plan
    variables:
      tenantId:
        description: The GUID of the tenant
        default: '{tenant_id}'
  - url: https://manage.protection.apps.mil/api/v1.0/{tenantId}/activity/feed
    description: DoD government plan
    variables:
      tenantId:
        description: The GUID of the tenant
        default: '{tenant_id}'
security:
  - bearerAuth: []
paths:
  /subscriptions/start:
    post:
      operationId: startSubscription
      summary: Microsoft Office Integration Start a subscription
      description: >-
        Starts a subscription to the specified content type. If a subscription
        already exists, this operation can update webhook properties, enable a
        disabled webhook, re-enable an expired webhook, or remove a webhook.
      parameters:
        - name: contentType
          in: query
          required: true
          description: Must be a valid content type.
          schema:
            type: string
            enum:
              - Audit.AzureActiveDirectory
              - Audit.Exchange
              - Audit.SharePoint
              - Audit.General
              - DLP.All
        - name: PublisherIdentifier
          in: query
          required: false
          description: >-
            The tenant GUID of the vendor coding against the API. Used for
            throttling the request rate.
          schema:
            type: string
            format: uuid
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                webhook:
                  $ref: '#/components/schemas/WebhookRequest'
      responses:
        '200':
          description: Subscription started or updated successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Subscription'
      tags:
        - Subscriptions
  /subscriptions/stop:
    post:
      operationId: stopSubscription
      summary: Microsoft Office Integration Stop a subscription
      description: Stops a subscription to the specified content type.
      parameters:
        - name: contentType
          in: query
          required: true
          schema:
            type: string
            enum:
              - Audit.AzureActiveDirectory
              - Audit.Exchange
              - Audit.SharePoint
              - Audit.General
              - DLP.All
        - name: PublisherIdentifier
          in: query
          required: false
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Subscription stopped successfully.
      tags:
        - Subscriptions
  /subscriptions/list:
    get:
      operationId: listSubscriptions
      summary: Microsoft Office Integration List current subscriptions
      description: Returns a collection of the current subscriptions together with associated webhooks.
      parameters:
        - name: PublisherIdentifier
          in: query
          required: false
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: List of current subscriptions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Subscription'
      tags:
        - Subscriptions
  /subscriptions/content:
    get:
      operationId: listAvailableContent
      summary: Microsoft Office Integration List available content
      description: >-
        Lists the content currently available for retrieval for the specified
        content type. Content is an aggregation of actions and events harvested
        from multiple servers across multiple datacenters.
      parameters:
        - name: contentType
          in: query
          required: true
          schema:
            type: string
            enum:
              - Audit.AzureActiveDirectory
              - Audit.Exchange
              - Audit.SharePoint
              - Audit.General
              - DLP.All
        - name: PublisherIdentifier
          in: query
          required: false
          schema:
            type: string
            format: uuid
        - name: startTime
          in: query
          required: false
          description: >-
            Start of the time range (UTC). Must be specified together with
            endTime and no more than 24 hours apart.
          schema:
            type: string
            format: date-time
        - name: endTime
          in: query
          required: false
          description: >-
            End of the time range (UTC). Must be specified together with
            startTime and no more than 24 hours apart.
          schema:
            type: string
            format: date-time
      responses:
        '200':
          description: List of available content blobs.
          headers:
            NextPageUri:
              description: URL to retrieve the next page of results if results are truncated.
              schema:
                type: string
                format: uri
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContentBlob'
      tags:
        - Subscriptions
  /subscriptions/notifications:
    get:
      operationId: listNotifications
      summary: Microsoft Office Integration List notifications
      description: >-
        Lists all notification attempts for the specified content type. Can
        return multiple notifications for the same content due to retries.
      parameters:
        - name: contentType
          in: query
          required: true
          schema:
            type: string
            enum:
              - Audit.AzureActiveDirectory
              - Audit.Exchange
              - Audit.SharePoint
              - Audit.General
              - DLP.All
        - name: PublisherIdentifier
          in: query
          required: false
          schema:
            type: string
            format: uuid
        - name: startTime
          in: query
          required: false
          schema:
            type: string
            format: date-time
        - name: endTime
          in: query
          required: false
          schema:
            type: string
            format: date-time
      responses:
        '200':
          description: List of notifications.
          headers:
            NextPageUri:
              description: URL to retrieve the next page of results.
              schema:
                type: string
                format: uri
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Notification'
      tags:
        - Subscriptions
  /resources/dlpSensitiveTypes:
    get:
      operationId: listDlpSensitiveTypes
      summary: Microsoft Office Integration Retrieve resource friendly names
      description: >-
        Retrieves friendly names for objects in the data feed identified by
        GUIDs. Currently only DlpSensitiveType is supported.
      parameters:
        - name: PublisherIdentifier
          in: query
          required: false
          schema:
            type: string
            format: uuid
        - name: Accept-Language
          in: header
          required: false
          description: Language code for localized names (e.g. en-US, es).
          schema:
            type: string
      responses:
        '200':
          description: List of DLP sensitive type friendly names.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/DlpSensitiveType'
      tags:
        - Resources
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: OAuth2 JWT access token obtained from Microsoft Entra ID with ActivityFeed.Read claim.
  schemas:
    WebhookRequest:
      type: object
      properties:
        address:
          type: string
          format: uri
          description: Required HTTPS endpoint that can receive notifications.
        authId:
          type: string
          description: Optional string included as Webhook-AuthID header in notifications.
        expiration:
          type: string
          format: date-time
          description: Optional datetime after which notifications should no longer be sent.
    WebhookStatus:
      type: object
      properties:
        status:
          type: string
          enum:
            - enabled
            - disabled
            - expired
        address:
          type: string
          format: uri
        authId:
          type: string
        expiration:
          type: string
          format: date-time
          nullable: true
    Subscription:
      type: object
      properties:
        contentType:
          type: string
        status:
          type: string
          enum:
            - enabled
            - disabled
        webhook:
          $ref: '#/components/schemas/WebhookStatus'
    ContentBlob:
      type: object
      properties:
        contentType:
          type: string
        contentId:
          type: string
          description: Opaque string that uniquely identifies the content.
        contentUri:
          type: string
          format: uri
          description: URL to use when retrieving the content.
        contentCreated:
          type: string
          format: date-time
        contentExpiration:
          type: string
          format: date-time
    Notification:
      type: object
      properties:
        contentType:
          type: string
        contentId:
          type: string
        contentUri:
          type: string
          format: uri
        contentCreated:
          type: string
          format: date-time
        contentExpiration:
          type: string
          format: date-time
        notificationSent:
          type: string
          format: date-time
        notificationStatus:
          type: string
    DlpSensitiveType:
      type: object
      properties:
        id:
          type: string
          format: uuid
          description: GUID of the sensitive information type.
        name:
          type: string
          description: Friendly name of the sensitive information type.
    ActivityRecord:
      type: object
      description: A single audit activity record returned when retrieving content.
      properties:
        CreationTime:
          type: string
          format: date-time
        Id:
          type: string
          format: uuid
        Operation:
          type: string
        OrganizationId:
          type: string
          format: uuid
        RecordType:
          type: integer
        ResultStatus:
          type: string
        UserKey:
          type: string
        UserType:
          type: integer
        Workload:
          type: string
        ClientIP:
          type: string
        ObjectId:
          type: string
        UserId:
          type: string
    Error:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string
tags:
  - name: Resources
  - name: Subscriptions