Forum Discussion

Pablo R. Ortiz's avatar
Pablo R. Ortiz
Steel Contributor
Feb 09, 2018

Audit Log Search unaccurate info on SharingPolicyChanged - UserIDs app@sharepoint

My client wants to receive an Alert when some admin changes the Sharing Policy of a Site Collection. So we went to search the Audit Logs in S&C for "Site administration activities -> Changed a sharing policy", and performed a test search. It returned the audited events but, to my surprise, the UserId is "app@SharePoint", so we are not able to identify the Admin who performed the action. We tried with Powershell Search-UnifiedAuditLog with same results. Also, we tried to find logs in Azure AD activity logs, but no entry for Changed a sharing policy or similar. We also checked Get-MsolUser with the ID thrown by the event, with no success.

It would be great to have this adjusted

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -Operations SharingPolicyChanged -SessionCommand ReturnLargeSet

  • Mmm...have you tried to query the SPO Change Log to see if you get more useful information?
  • Mmm...have you tried to query the SPO Change Log to see if you get more useful information?
    • Pablo R. Ortiz's avatar
      Pablo R. Ortiz
      Steel Contributor
      will try that, but at this point my client is a little dissapointed with S&C Alerts
  • Agreed. And there are other events generating similar entries. For example, the eDiscovery functionalities.

Resources