Forum Discussion
How to reveal anonymous submissions in Microsoft Forms
Actually, it can be possible if the admin have enabled the audit log. If they query the logs for CreateResponse events they can find something like below.
It shows when the user voted (with second precision in UTC) and the ResponseId. When you check the result excel file, you can find the IDs in first column and the answer time in secod and third column. By cross-corelating them you can find which vote was whose
RunspaceId : eed91bd7-f7b9-466f-8294-16ad2b347806
RecordType : MicrosoftForms
CreationDate : 2020-11-24 13:54:42
UserIds : ***
Operations : CreateResponse
AuditData : {"CreationTime":"2020-11-14T13:54:42","Id":"***","Operation":"CreateResponse","OrganizationId":"***","RecordType":66,"ResultStatus":"Succeeded","UserKey":"","UserType":0,"Version":1,"Workload":"MicrosoftForms","ClientIP":"","UserId":"<email@email>","ActivityParameters":"\"ResponseId\":4}","FormId":"Ho024XU55kyJPfw1H9RNzXN-mpx4yKxGhcITCP5K3UJURThFQVNOVUEyOUxSRVVXSFUyQTU4NExMMC4u","FormName":"Pytanie","FormsUserType":1,"SourceApp":"ms-teamsbot"}
Note that I replaced some parts with asterisks in original response you can find the real e-mail there
- RobElliottNov 27, 2020Silver Contributor
Karol Grodzicki any situation where with an anonymous response it would be possible to find out the the details of the responder would be really worrying from a legal point of view.
Rob
Los Gallardos
Microsoft Power Automate Community Super User- Karol GrodzickiNov 27, 2020Copper Contributor
RobElliott This is the result of experiments we recently did in administration team before deciding if it can be used in important secret votings inside of organization. And in enterprise tenant we could find the vote's authors with such cross-corelation.
If you want to reproduce it, 30 minutes after voting open Exchange Online powershell and type something like this:Search-UnifiedAuditLog -StartDate 2020-11-27 -EndDate 2020-11-28 -Operations CreateResponse,UpdateResponse -UserIds some.user@domain.com
You'll get their votes from last day. If you also have the result excel, you can find which vote is which.It looks like there are two remedies:
1. Disable audit logs
2. Require organizer to export excel right after voting, remove ID and date columns, sort the results, delete the forms (+ delete from recycle bin). That prevents even global admins from getting the result excel
Global admins in Microsoft365 are pretty powerful (and even more powerful are on-premise admins). The security & compliance features allow pretty deep insight into mail contents or OneDrive files. That's the way IT works, you need to trust IT 😉
- RobElliottNov 27, 2020Silver ContributorWhat part of "anonymous" do you not understand? Any form which you have told a responder will be anonymous MUST be anonymous by law.