{"id":20267937,"url":"https://github.com/officedev/o365-activityfeed-azurefunction","last_synced_at":"2025-04-07T11:07:23.773Z","repository":{"id":45059585,"uuid":"119824001","full_name":"OfficeDev/O365-ActivityFeed-AzureFunction","owner":"OfficeDev","description":"Azure function that processes incoming notifications from the O365 Activity API","archived":false,"fork":false,"pushed_at":"2025-01-13T20:42:32.000Z","size":8829,"stargazers_count":46,"open_issues_count":3,"forks_count":34,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-31T09:08:37.414Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OfficeDev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-01T11:00:56.000Z","updated_at":"2025-03-03T08:59:13.000Z","dependencies_parsed_at":"2023-09-27T13:49:56.680Z","dependency_job_id":"0b3b0873-f5bd-4c8c-9e11-4163dea5959f","html_url":"https://github.com/OfficeDev/O365-ActivityFeed-AzureFunction","commit_stats":{"total_commits":385,"total_committers":8,"mean_commits":48.125,"dds":0.2909090909090909,"last_synced_commit":"fa2fcfc253317cf1e6b41b506ceb6851d899779b"},"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FO365-ActivityFeed-AzureFunction","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FO365-ActivityFeed-AzureFunction/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FO365-ActivityFeed-AzureFunction/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FO365-ActivityFeed-AzureFunction/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OfficeDev","download_url":"https://codeload.github.com/OfficeDev/O365-ActivityFeed-AzureFunction/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247640462,"owners_count":20971557,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T12:15:58.914Z","updated_at":"2025-04-07T11:07:23.743Z","avatar_url":"https://github.com/OfficeDev.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"---\r\npage_type: sample\r\nproducts:\r\n- office-365\r\nlanguages:\r\n- powershell\r\nextensions:\r\n  contentType: samples\r\n  createdDate: 2/1/2018 3:00:56 AM\r\ndescription: \"This sample can be used to process notifications from the Office 365 Activity API directly from an Azure Function.\"\r\n---\r\n \r\n# Office 365 activity feed sample\r\n\r\nThis sample can be used to process notifications from the Office 365 Activity API directly from an Azure Function. The sample will write the information to Azure Cosmos DB but with very small changes it can be used to write to Event Hubs, Blob Storage and other Azure components. The AzureADGraph is created to run as a scheduled function. It stores the state between the runs in a local file in the Azure function.\r\n\r\n## Addition\r\n\r\nThe Investigation folder contains a sample that uses a Timer based function to import Office 365 Activity data to Cosmos DB. See separate blog post for more information. https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Using-the-Office-365-Management-Activity-API-and-Power-BI-for/ba-p/189086\r\n\r\n## Create and Register an App in Azure and delegate the appropriate permissions\r\n\r\nUse this as a guide to create and register the application used for making requests. The “Configure an X.509 certificate to enable service-to-service calls” is not necessary for this test. It is enough to have the application and the appropriate permissions set. Do not forget the step to complete the Administrator consent.\r\nhttps://msdn.microsoft.com/office-365/get-started-with-office-365-management-apis\r\n\r\n## Steps to Create the Azure Function\r\n1. Create your function app and name it appropriately. https://docs.microsoft.com/azure/azure-functions/functions-create-function-app-portalnew \r\n2. Select to create an Azure Function from within Azure Portal.\r\n3. Create the HTTP trigger, select PowerShell since the sample is based on PowerShell. \r\n4. Authorization level is Function\r\n\r\n![Create Function](./FunctionApp1.png)\r\n\r\n5. Select to create the function\r\n\r\n6. Use the code in ActivityFunctionApp.ps1 and modify the secrets to match your tenant and the Application created in previous step. From the Azure App you will need the Client ID, Client Secret, from your tenant you need the tenant name and GUID\r\n7.Configure the integration of the trigger, below is the configuration I have been using to integrate the trigger. If you change the request parameter, you will have to change the corresponding lines in the code.\r\n\r\n![Configure Integration](./FunctionApp2.png)\r\n\r\n8. Configure the Output to COSMOS DB by either defining an existing DB or a new one. \r\n\r\n![Configure OutPut](./FunctionApp3.png)\r\n\r\n9. Get the App function key it will be used when you enable the Webhooks.\r\n![Copy the function key](./FunctionApp4.png)\r\n\r\n## Enable the subscriptions\r\n\r\nCreate a separate Azure Function to kick start the webhooks. This is not a common task it is mainly done when you need to make a change to the O365 Webhooks. You can just as well enable the webhooks from onpremises by running the script. See the enablesubscription.ps1 code for how to enable the Webhooks. You will have to make the same changes as for the Activity App.\r\nWhen you have enabled the webhooks you will find entries in the invocation log from the WebHooks verifying that your app really is listening.\r\n\r\n![Invocation Log](./FunctionApp5.png)\r\n\r\n## Query the data using the SQL interface in Cosmos DB\r\n\r\nYou should see the COSMOS DB being populated with Records. You can use your own custom solution to query the data as needed. You can also download all the records to your own custom solution. https://docs.microsoft.com/en-us/azure/cosmos-db/\r\n\r\nHere are a few sample queries to get you started.\r\n\r\nIf you want more information about a user\r\n\r\n```sql\r\nselect * from investigate where investigate.UserId = \"user@YOURDOMAIN\" order by investigate.CreationTime\r\n```\r\nIf you need more detail about a specific IP address\r\n\r\n```sql\r\nselect * from investigate where investigate.ClientIP = \"127.0.0.1\" order by investigate.CreationTime\r\n```\r\nIf you want to understand more about a specific file\r\n\r\n```sql\r\nselect * from SPO where SPO.SourceFileName = \"FILENAME.JPG\" order by SPO.CreationTime\r\n```\r\n\r\n## Troubleshooting\r\n\r\nTo get more information about the environment and to troubleshoot issues use the Kudu interface. https://\u003cmyfunctionapp\u003e.scm.azurewebsites.net/ \r\n\r\nhttps://docs.microsoft.com/azure/azure-functions/functions-how-to-use-azure-function-app-settings\r\n\r\n## Contributing\r\n\r\nThis project welcomes contributions and suggestions.  Most contributions require you to agree to a\r\nContributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us\r\nthe rights to use your contribution. For details, visit https://cla.microsoft.com.\r\n\r\nWhen you submit a pull request, a CLA-bot will automatically determine whether you need to provide\r\na CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions\r\nprovided by the bot. You will only need to do this once across all repos using our CLA.\r\n\r\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\r\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\r\ncontact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofficedev%2Fo365-activityfeed-azurefunction","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fofficedev%2Fo365-activityfeed-azurefunction","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofficedev%2Fo365-activityfeed-azurefunction/lists"}