Share via

Microsoft Graph Audit Log Query Issue in Beta (Stuck in ‘notStarted/running’) and v1.0 Endpoint Returning ‘Resource Not Found’

Louis 40 Reputation points
2026-04-29T07:43:32.1333333+00:00

I created an audit log query using the Microsoft Graph API (beta). However, when I repeatedly check the query status, it remains in ‘notStarted’ or ‘running’ state and does not transition to ‘succeeded’, ‘failed’, ‘cancelled’, or ‘unknownFutureValue’, even after waiting for some time. Could you help identify the reason for I created an audit log query using the Microsoft Graph API (beta). When I check the query status, it consistently remains in ‘notStarted’ or ‘running’ state and does not transition to ‘succeeded’, ‘failed’, ‘cancelled’, or ‘unknownFutureValue’, even after some time. This is not due to multiple requests, as only a single query was created. Could you help identify the cause of this behavior?

POST https://graph.microsoft.com/beta/security/auditLog/queries

{

"@odata.type": "#microsoft.graph.security.auditLogQuery",

"displayName": "Test Query One Hour",

"filterStartDateTime": "2026-04-15T00:00:00Z",

"filterEndDateTime": "2026-04-15T01:00:00Z",

"recordTypeFilters": ["azureActiveDirectory"]

}

GET https://graph.microsoft.com/beta/security/auditLog/queries/{auditLogQueryId}

GET https://graph.microsoft.com/beta/security/auditLog/queries/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

{

"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries/$entity",

"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance    improvements. For example: GET security/auditLog/queries('<guid>')?$select=administrativeUnitIdFilters,displayName",

"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

"displayName": "Test Query One Hour",

"filterStartDateTime": "2026-04-15T00:00:00Z",                            

"filterEndDateTime": "2026-04-15T01:00:00Z",

"recordTypeFilters": [

    "AzureActiveDirectory"

],

"keywordFilter": null,

"serviceFilters": [],

"operationFilters": [],

"userPrincipalNameFilters": [],

"ipAddressFilters": [],

"objectIdFilters": [],

"administrativeUnitIdFilters": [],

"status": "notStarted"

}

I also attempted to use the v1.0 endpoint, but I encountered a ‘BadRequest’ error stating ‘Resource not found for the segment auditLog’. Could you please clarify whether this API is supported in v1.0 or only available in beta?

POST https://graph.microsoft.com/v1.0/security/auditLog/queries

GET https://graph.microsoft.com/v1.0/security/auditLog/queries/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

{

"error": {

    "code": "BadRequest",

    "message": "Resource not found for the segment 'auditLog'.",

    "innerError": {

        "date": "2026-04-29T07:07:55",

        "request-id": "73e78731-4c54-4686-8f06-50c4dad342a5",

        "client-request-id": "68a29615-6686-85c7-c991-0c57b860bfd1"

    }

}

}

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 126.1K Reputation points MVP Volunteer Moderator
    2026-04-29T13:27:38.99+00:00

    Audit searches created via the /auditLog/queries Graph API endpoint are asynchronous by design, and you have no way to influence their status. The service handles prioritization/scheduling, all you can do is check the status indeed. And yes, they are known to be slow at times, which is the main reason why the corresponding endpoints are still only available under /beta. Microsoft is supposedly working on addressing the experience, but whether they actually deliver on their promises, only god knows :)

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.