Introduction
Beginning with DeliverPoint 5.0.0.0 (February 2025), we added the ability to run Audit reports, making use of the new (beta) Microsoft Graph API endpoint to query Microsoft Purview audit logs. To enable this feature, a Global Administrator must approve the AuditLogsQuery.Read.All Graph API permission.
Most Graph API permissions can be approved from the API Access page of the SharePoint Admin Center. However, as of this writing, this particular Graph API permission must be approved manually. Beginning in March 2025, this permission must be approved using PowerShell, because Microsoft moved all SPFx Graph permissions to a new Entra Application Principal that does not allow adding permissions via the Entra UI. (See Changes on SharePoint Framework (SPFx) permission grants in Microsoft Entra ID - Microsoft 365 Developer Blog.) Instructions for doing this are below.
NOTE: After following this procedure, this permission will still appear as Pending on the API Access page, but it really has been approved.
The above-referenced Microsoft article contains an example script, which we have modified to be specific to granting the AuditLogsQuery permission to DeliverPoint. You can download that here.
Get the Microsoft Graph PowerShell SDK
The PowerShell script to approve this permission requires you to download and install the Microsoft Graph PowerShell SDK, which you can do from this page on Microsoft's site. Microsoft recommends PowerShell 7 or later for this. If you don't already have PowerShell 7 or above, download and installation instructions can be found here for the current latest version (7.5).
To install the Microsoft Graph PowerShell SDK, open a PowerShell window and issue the following command:
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force
You should see a number of files being downloaded and unzipped. Eventually, the command prompt will reappear.
Run the PowerShell script
Unzip the GrantAuditLogsQueryPermission.ps1 file and run it in the PowerShell window by ensuring you are in the directory where the file is located, and then typing: .\GrantAuditLogsQueryPermission
A dialog will open for you to authenticate to your M365 tenant with a Global Admin account. If you have never before used the Microsoft Graph Command Line Tools, you will be asked to grant permission to it:
You can now go back to the PowerShell window. If no errors have occurred, you should see a message stating: “AuditLogsQuery.Read.All permissions set for SPFx app with ID 00000003-0000-0000-c000-000000000000”. (This App ID is the Microsoft Graph Endpoint, which is the same for all tenants.)
If you have any trouble with this, please contact help@lightningtools.com.
An account with the required permissions will now be able to run DeliverPoint Audit Reports. See how in this article.
Verify that the Permission has been Granted
In the Microsoft Entra Admin Center, search for "SharePoint Online Web Client Extensibility" and click it. Under the Permissions section, you will find the list of permissions that have been granted for your organization. Search for AuditLogsQuery.Read.All and it will be displayed if granted.
