Microsoft Graph API security and compliance tools are essential to any enterprise environment. It gives you a unified endpoint where you can access all the audit logs, DLP reports, alert incidents, and retention policies of your organization’s Microsoft 365 accounts.
Using this tool has several key benefits. It can help maintain cross-tenant compliance visibility, automate reports without relying on portal access, give you a secure app-based authentication method, and provide you with easy integrations with SIEM and custom dashboards.
Guide to accessing compliance reports using Microsoft Graph
Before getting started, you first have to configure the application in the Azure AD portal and ensure that it has the necessary permissions. Then, you can connect your account to Microsoft Graph through Windows PowerShell and automatically generate the reports. You also have the option to automate the process using a .JSON file.
GPOs can be utilized to strengthen your security procedures. You can use the Windows Registry to ensure that all policies are consistently applied to all your managed devices. And, in case an error happens, you can use CMD to troubleshoot.
📌 Prerequisites:
- Azure AD app registration for each tenant (or use Microsoft Lighthouse, necessary for delegated access)
- You need admin consent granted for the required API scopes.
- Microsoft 365 E5 Compliance add-on is required for advanced reports.
- You must have Windows PowerShell, and it should have the Microsoft Graph SDK installed.
- Optional/preferable: Access to Intune, GPO, and the Windows Registry for endpoint policy validation
📌 Recommended deployment strategies:
Step 1: Register an app in Azure for Graph Access
- Open the Azure AD portal in your browser.
- Go to App Registrations > New Registration.
- Name the app you want to register.
- Set what account type access to Accounts in this organizational directory only (Contoso only – Single tenant).
- Once done, modify the application permissions by clicking Add a permission. This will take you to Microsoft Graph.
- Give the following permissions:
- Reports.Read.All
- AuditLog.Read.All
- SecurityEvents.Read.All
- Directory.Read.All
- Click Add Permissions.
- Click the button saying Grant admin consent. After this, the application can now read all the user profiles you gave it access to.
- Go to Certificates & secrets.
- Select Client Secrets > New Client secret.
- Fill out the information and follow the prompts. This will serve as the password to the application.
- Take note of the application (client) ID, directory (tenant) ID, and the secret value. This will allow you to access the application again in the future.
Repeat or automate this process for each tenant that requires it.
Step 2: Connect to Microsoft Graph in PowerShell
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- To install Microsoft Graph, type the following command and press Enter:
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
- To connect using your app credentials, type the following command and press Enter:
Connect-MgGraph -ClientId "APP_ID" -TenantId "TENANT_ID" -ClientSecret (ConvertTo-SecureString "SECRET" -AsPlainText -Force)
Change “APP_ID” to the client ID, “TENANT_ID” to the tenant ID, and “SECRET” to the secret value you generated.
- To select the scope, type Select-MgProfile -Name “beta” and press Enter.
You are now connected to Microsoft Graph.
Step 3: Pull compliance reports with the Microsoft Graph API
Once you are logged in to Microsoft Graph in Windows PowerShell, follow these steps:
- To retrieve audit logs, type this command and press Enter:
$logs = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/auditLogs/signIns"
- To list DLP alerts, type this command and press Enter:
$alerts = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/security/alerts"
- To list retention policies, type this command and press Enter:
$policies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/security/retentionLabels"
- To export the data to a .CSV file, type this command and press Enter:
$logs.value | Export-Csv -Path ".\Tenant_AuditLogs.csv" -NoTypeInformation
Repeat this process for each tenant. Log in using their specific credentials.
Optional: Automate cross-tenant reporting
IT administrators can store all tenant credentials in a JSON file. They can run this file to loop through each tenant whenever they need it to connect to each tenant and consolidate the data. They can automatically run this file on a regular schedule using Task Scheduler through their endpoint management tool.
Here’s a sample tenant loop structure:
foreach ($tenant in $tenantList) {
Connect-MgGraph -ClientId $tenant.ClientId -TenantId $tenant.TenantId -ClientSecret $tenant.Secret
$auditData = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/auditLogs/signIns"
$auditData.value | Export-Csv -Path ".\$($tenant.Name)_Audit.csv" -Append
}
Optional: Use Registry to support reporting context on endpoints
📌 Use Case: Registry keys can be used to ensure that device tagging and reporting labels are consistently applied across all your devices. To do that, follow these steps:
- Open the Start Menu and search for Registry Editor to open the program.
- Find the corresponding registry key for the application you want to check. For reference, this is a sample registry path and the relevant values inside:
HKEY_LOCAL_MACHINE\SOFTWARE\Contoso\Compliance
- TenantTag (String) – The value must be “ClientA”.
- LastAuditSync (String)- The value must be “[Date of last audit sync]”.
💡 Note: You can use scripts to read these tags to include endpoint metadata in Graph-generated reports.
Optional: Use Group Policy for endpoint compliance status
📌 Use Case: Group policies can be used to support enforcement and ensure endpoint compliance, especially for compliance scoring and data sensitivity reporting.
- Open the Start Menu and search for Edit Group Policy to open the program.
- Navigate to this location: Computer Configuration > Administrative Templates > Windows Components > Data Collection.
- Enable the following policies:
- Enable Allow Telemetry – You should set this to Enhanced or Full as well.
- Enable Configure commercial ID for device grouping
Optional: Use CMD to validate permissions and connectivity
📌 Use Case: This is useful for on-premise or hybrid environments where endpoints need compliance alignment.
- Open the Start Menu and search for Command Prompt.
- Right-click Command Prompt > Run as administrator.
- To check Internet and Graph-endpoint access, type this command and press Enter:
nslookup graph.microsoft.com
ping graph.microsoft.com
To validate the local agent sync status, type this command and press Enter:
dsregcmd /status
To make sure that the GPO policies have been applied, type this and press Enter:
gpresult /h gpo.html
Quick-Start Guide
I can provide some insights about using Microsoft Graph API for compliance reports across multiple tenants with NinjaOne:
Microsoft Graph API Integration
NinjaOne supports Microsoft Graph API integration for M365 backup and reporting, but there are some important considerations:
Key Points:
– NinjaOne uses Service Principal Authentication (SPA) for Microsoft Graph API access
– They create four tenant applications to reduce throttling and enable comprehensive backup
– Some specific requirements exist for API access:
– Requires a Global Admin during initial setup
– Needs proper Microsoft licensing (Exchange licenses)
– Involves specific API permissions and scopes
Compliance Reporting Limitations:
– The documentation doesn’t explicitly detail cross-tenant compliance reporting
– Reporting is primarily focused on backup and protection coverage
– Some API limitations exist, such as:
– Microsoft may hide certain user information
– Throttling can occur with concurrent API requests
Recommended Next Steps:
1. Consult NinjaOne support for specific cross-tenant compliance reporting capabilities
2. Verify your M365 tenant meets the necessary licensing and permission requirements
3. Consider using the NinjaOne SaaS Backup Partner Portal for multi-tenant insights
⚠️ Troubleshooting/Things to look out for
| Issue/Risk | Potential Consequences | Fix/Reversal |
| You experience an “Access Denied” error. | You can’t access the data you’re looking for. | Confirm that admin consent and required API scopes are properly assigned. |
| You get an empty response. | You don’t get the data you’re looking for. | Make sure that the tenant has the appropriate licensing and logging enabled. |
| The client secret expired. | You won’t be able to access the data in Microsoft Graph. | Set an alert in your endpoint management tool to tell you when secrets are about to expire to avoid this issue. |
| There is a script error. | You won’t be able to pull the reports. | Use Try/Catch blocks and verbose logging for error tracing. |
Additional considerations when using Microsoft Graph to pull compliance reports
- Be mindful of rate limits and Microsoft Graph throttling. You may have to retry some actions in some scenarios, especially if you’re pulling up a lot of data.
- You can reduce complexity by using Azure Lighthouse or cross-tenant access models.
- Use Azure Key Vault or an encrypted storage solution to store your client secrets.
- Make sure that only authorized personnel have access to reports that have user-specific data.
NinjaOne services
NinjaOne enhances Graph-based compliance automation through:
- Cross-Tenant Execution: You can schedule and deploy PowerShell reporting scripts across all managed tenants using NinjaOne’s remote PowerShell tool.
- Central Credential Management: Store Graph API credentials securely and invoke them per tenant in a secure and encrypted storage solution.
- Alerting and Compliance Dashboards: Integrate report results into customized dashboards and notify on risk thresholds.
- Endpoint-Level Context: Pull device-specific registry and GPO data to enrich compliance reports through the NinjaOne endpoint management tool.
- Automated Ticketing: Set alerts when compliance conditions (e.g., audit inactivity or missing retention policy) are detected.
Take advantage of Microsoft Graph for your compliance reports
Microsoft Graph is a powerful tool for automating compliance reporting in an enterprise environment. It gives IT administrators scalable visibility into tenant activity, data protection, and government posture.
Related topics:
