Graph API : How can we Audit mailbox access by Application Permission AD apps that have been granted admin consent. We are logging client-request-id, request-id, timestamp and x-ms-ags-diagnostic from the HTTP response headers of Graph but we have to reach microsoft to get details of these calls.
For an Azure AD/Office 365 admin, Graph API audit logs should be available in Security and Compliance section.
Julian Aymanns commented
I strongly agree! This feature is a must-have for applications that have application Mail.Read access.
Email access does not even show up in the audit logs when "MessageBind" is activated on the respective mailbox. Hence, affected client secrets could be abused without a trace.