SharePoint Audit Logs
Collects SharePoint audit events covering file access, sharing, and site interactions.
This input also captures OneDrive for Business file activity (uploads, downloads, sharing, and access). Microsoft 365 records OneDrive events under the SharePoint workload (RecordType 7), so there is no separate OneDrive input — use this connector for OneDrive file-access logs.
Sync Type: Incremental
Requirements
Before setting up the input you need to:
-
In Microsoft Purview, turn auditing on.
-
Register an Active Directory (Entra) application:
- Supported account types: Accounts in this organizational directory only.
- Certificates & secrets: create a new client secret and copy its Value immediately — it cannot be retrieved after you leave the page. You will need it to configure the Monad connector.
-
Grant the application access to the Office 365 Management APIs:
- Under API permissions → Add a permission → APIs my organization uses, search for Office 365 Management APIs (this is a different API from Microsoft Graph).
- Add
ActivityFeed.Readas an Application permission. Monad authenticates app-to-app (client credentials), so the permission must be of type Application, not Delegated — a Delegated permission is not present in the token Monad receives, and the connection test will fail. - Click Grant admin consent for <your tenant>. The
ActivityFeed.Readrow must then show a green Granted status — adding the permission alone is not enough.
ActivityFeed.ReadDlpandServiceHealth.Readare only needed for the DLP Events and Service Health inputs respectively. They are not required for SharePoint Audit Logs.
Where to find each value
| Field | Where in the Entra app registration |
|---|---|
| Tenant ID | Overview → Directory (tenant) ID (a GUID) |
| Client ID | Overview → Application (client) ID (a GUID) |
| Client Secret | Certificates & secrets → Client secrets → Value (copied at creation — this is the secret's Value, not its Secret ID) |
Common mistake: the Client ID and the Client Secret Value are easy to swap. The Client ID is always a GUID (e.g.
a1b2c3d4-…); a secret Value is a longer opaque string (often containing~or.). Entering the secret Value in the Client ID field produces anAADSTS700016: Application with identifier '…' was not found in the directoryerror.
Backfill and sync window
- The first sync starts from now — no historical records are fetched — unless you set a Backfill Start Time.
- If you set a Backfill Start Time, the sync fetches from that time forward, but no earlier than 7 days in the past: the Office 365 Management Activity API retains only ~7 days of content, so older start times are clamped to 7 days ago.
- Subsequent syncs are incremental, fetching from the last successful sync time to the present.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Tenant ID | string | true | The Directory (tenant) ID of the Entra application |
| Use Synthetic Data | boolean | false | Generate synthetic data for testing instead of connecting to a real data source |
| Backfill Start Time | string | false | The date to start fetching data from (RFC 3339). If not specified, no past records are fetched. Cannot go back more than 7 days (API retention limit). |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| Client ID | string | true | The Application (client) ID of the Entra application |
| Client Secret | string | true | The client secret Value of the Entra application |
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
AADSTS700016: Application with identifier '…' was not found in the directory | The Client ID is incorrect — often the Client Secret Value was entered in the Client ID field, or the app is registered in a different tenant. | Confirm the Client ID is the Application (client) ID GUID from the app's Overview page, and that the Tenant ID matches the tenant where the app is registered. |
401 AF10001: The permission set () sent in the request does not include the expected permission. | The token carries no app roles: ActivityFeed.Read is missing, was added as a Delegated permission instead of Application, or admin consent was not granted. | On the app's API permissions, ensure ActivityFeed.Read under Office 365 Management APIs is of type Application and shows a green Granted admin-consent status. Allow a few minutes for the change to propagate, then re-run the connection test. |