Start subscriptions to recieve logs from Office 365 Management Activity API.
To start subscriptions:
Copy the command below to your notepad:
curl -X POST -H "Content-Length: 0" -H "Authorization: Bearer {access_token}" "https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/subscriptions/start?contentType={content_type}"Invoke-RestMethod -Uri "https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/start?contentType=$content_type" -Method Post -Headers @{"Content-Length"="0"; "Authorization"="Bearer $access_token"}Replace the {access_token} value with the access token saved in previous steps.
Replace the {tenant_id} value with your Microsoft Office tenant ID.
Replace the {content_type} value with the type of logs you want to start a subscription for.
Run the command separately for each of the below log types:
Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
Audit.General - (includes all other workloads not included in the previous content types)
DLP.All - (DLP events only for all workloads)