Table: MicrosoftGraphActivityLogs
ResponseStatusCode: 401
In Microsoft Sentinel or Log Analytics workspaces, when analyzing logs for Microsoft Entra ID (formerly Azure AD) or Microsoft Graph API requests, authorization failures (requests denied due to invalid credentials or insufficient permissions) are typically represented by HTTP status code 401 (Unauthorized) .
According to Microsoft documentation for Microsoft Graph Activity Logs (part of Microsoft Entra ID logs integration with Azure Monitor and Sentinel), the ResponseStatusCode field contains the HTTP response code for API requests made to Microsoft Graph. The most relevant codes are:
401 – Unauthorized: The request could not be completed due to invalid or missing authentication credentials.
403 – Forbidden: The request was authenticated but does not have permission for the requested resource.
Since the question specifies identifying “requests that failed due to insufficient authorization ,” this refers specifically to authorization failures —situations where the system could not authenticate or authorize the request at all. In Microsoft’s terminology, this most directly maps to HTTP 401 Unauthorized responses.
The MicrosoftGraphActivityLogs table stores these entries, as it captures API requests from Entra-integrated applications to Microsoft Graph endpoints, including the fields ResponseStatusCode, AppId, UserId, ServicePrincipalId, RequestUri, and RequestMethod.
The appropriate KQL query completion would therefore be:
MicrosoftGraphActivityLogs
| where ResponseStatusCode == 403 or ResponseStatusCode == 401
| project AppId, UserId, ServicePrincipalId, ResponseStatusCode, RequestUri, RequestMethod
