Forum Discussion
Pablo R. Ortiz
Feb 09, 2018Steel Contributor
Audit Log Search unaccurate info on SharingPolicyChanged - UserIDs app@sharepoint
My client wants to receive an Alert when some admin changes the Sharing Policy of a Site Collection. So we went to search the Audit Logs in S&C for "Site administration activities -> Changed a sharing policy", and performed a test search. It returned the audited events but, to my surprise, the UserId is "app@SharePoint", so we are not able to identify the Admin who performed the action. We tried with Powershell Search-UnifiedAuditLog with same results. Also, we tried to find logs in Azure AD activity logs, but no entry for Changed a sharing policy or similar. We also checked Get-MsolUser with the ID thrown by the event, with no success.
It would be great to have this adjusted
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -Operations SharingPolicyChanged -SessionCommand ReturnLargeSet
- Mmm...have you tried to query the SPO Change Log to see if you get more useful information?
- Mmm...have you tried to query the SPO Change Log to see if you get more useful information?
- Pablo R. OrtizSteel Contributorwill try that, but at this point my client is a little dissapointed with S&C Alerts
Agreed. And there are other events generating similar entries. For example, the eDiscovery functionalities.