# SharePoint Audit Logs Collects SharePoint audit events covering file access, sharing, and site interactions. This input also captures **OneDrive for Business** file activity (uploads, downloads, sharing, and access). Microsoft 365 records OneDrive events under the SharePoint workload (`RecordType 7`), so there is no separate OneDrive input — use this connector for OneDrive file-access logs. **Sync Type: Incremental** ## Requirements Before setting up the input you need to: 1. In Microsoft Purview, [turn auditing on](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable). 2. Register an [Active Directory (Entra) application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app): - **Supported account types:** Accounts in this organizational directory only. - **Certificates & secrets:** create a new client secret and copy its **Value** immediately — it cannot be retrieved after you leave the page. You will need it to configure the Monad connector. 3. Grant the application access to the **Office 365 Management APIs**: - Under **API permissions → Add a permission → APIs my organization uses**, search for **Office 365 Management APIs** (this is a different API from Microsoft Graph). - Add **`ActivityFeed.Read`** as an **Application** permission. Monad authenticates app-to-app (client credentials), so the permission **must be of type _Application_, not _Delegated_** — a Delegated permission is not present in the token Monad receives, and the connection test will fail. - Click **Grant admin consent for <your tenant>**. The `ActivityFeed.Read` row must then show a green **Granted** status — adding the permission alone is not enough. > `ActivityFeed.ReadDlp` and `ServiceHealth.Read` are only needed for the DLP Events and Service Health inputs respectively. They are **not** required for SharePoint Audit Logs. ### Where to find each value | Field | Where in the Entra app registration | |-------|-------------------------------------| | Tenant ID | **Overview → Directory (tenant) ID** (a GUID) | | Client ID | **Overview → Application (client) ID** (a GUID) | | Client Secret | **Certificates & secrets → Client secrets → Value** (copied at creation — this is the secret's *Value*, not its *Secret ID*) | > **Common mistake:** the Client ID and the Client Secret **Value** are easy to swap. The Client ID is always a GUID (e.g. `a1b2c3d4-…`); a secret Value is a longer opaque string (often containing `~` or `.`). Entering the secret Value in the Client ID field produces an `AADSTS700016: Application with identifier '…' was not found in the directory` error. ### Backfill and sync window - The first sync starts from **now** — no historical records are fetched — **unless** you set a **Backfill Start Time**. - If you set a Backfill Start Time, the sync fetches from that time forward, but **no earlier than 7 days in the past**: the Office 365 Management Activity API retains only ~7 days of content, so older start times are clamped to 7 days ago. - Subsequent syncs are incremental, fetching from the last successful sync time to the present. ## Configuration ### Settings | Setting | Type | Required | Description | |---------|------|----------|-------------| | Tenant ID | string | true | The Directory (tenant) ID of the Entra application | | Use Synthetic Data | boolean | false | Generate synthetic data for testing instead of connecting to a real data source | | Backfill Start Time | string | false | The date to start fetching data from (RFC 3339). If not specified, no past records are fetched. Cannot go back more than 7 days (API retention limit). | ### Secrets | Setting | Type | Required | Description | |---------|------|----------|-------------| | Client ID | string | true | The Application (client) ID of the Entra application | | Client Secret | string | true | The client secret **Value** of the Entra application | ## Troubleshooting | Error | Cause | Fix | |-------|-------|-----| | `AADSTS700016: Application with identifier '…' was not found in the directory` | The Client ID is incorrect — often the Client Secret Value was entered in the Client ID field, or the app is registered in a different tenant. | Confirm the **Client ID** is the *Application (client) ID* GUID from the app's Overview page, and that the **Tenant ID** matches the tenant where the app is registered. | | `401 AF10001: The permission set () sent in the request does not include the expected permission.` | The token carries no app roles: `ActivityFeed.Read` is missing, was added as a **Delegated** permission instead of **Application**, or **admin consent** was not granted. | On the app's **API permissions**, ensure `ActivityFeed.Read` under **Office 365 Management APIs** is of type **Application** and shows a green **Granted** admin-consent status. Allow a few minutes for the change to propagate, then re-run the connection test. | ## Related Articles - [Office 365 Management APIs](https://learn.microsoft.com/en-us/office/office-365-management-api/)