The ***blinking*** problem that causes "app@sharepoint" to show up in Delve as the author of documents appeared in November, went away in early December, and has now reappeared. What's going on?

I've created a (regular) ticket in Office 365, and this is the response I got: The Account app@sharepoint is related to the SharePoint Applications (Auditing logs/Virus), it is a system account, belongs to the SharePoint Farms infrastructure, it was created to run on all Site Collections/Personal sites to collect auditing information. When the user provides some changes for his own Site Collection, or enables features or activates the site Auditing logs, his own account does not have the write permissions on the SharePoint Farm and this account it will be used to run and collect all the necessary information to be provided to the customer. Microsoft has set up a few security accounts to run in all Farms, in order for our customer to do some tasks, and get the required information. Also it is necessary for user security, for these accounts to always track the Site Collection searching for viruses that can be uploaded into SharePoint. Microsoft will not change that, all Farms have the same configuration and this same system account, and all Site Collections will use this account if they need to do it.What Activities Should the customer expect from this account?From the Customer side nothing will be expected, everything will be running normal, as should be, this account will not affect the Site Collection functionality or personal site, all the information on the Site Collection will be secure, and only the Site Owners and all people who have permissions to the site can see the information inside and share the same. This account can be visible if we create an auditing for our Site Collection or personal site. All private information is safe and, nothing will be collected, as we said before this account only gets information for auditing and looks for possible virus attack. Not in the slightest a helpful response *sigh* :(

Well, it is an answer, albeit a poor one. The problem is not that Microsoft has created accounts to take care of some background activity, which is perfectly acceptable and useful. The issue is that the Delve feels compelled to surface the existence of the dreaded app@sharepoint account. I have got to believe that it is within the wits of man and software engineering to filter out this activity... Come on Microsoft, let's fix this lingering irritation!

Hey TonyRedmond, Here's another juicy bit information, though I'd take with a grain of salt, as I've gathered some additional information on how this error is related to the new and old Delve entry points, see this thread: https://techcommunity.microsoft.com/t5/Delve/Anyone-also-seeing-app-sharepoint-com-in-Delve/m-p/34684/highlight/false#M209 Here's the latest support response: Please know that I received updates from the Production Group, that specify the following:“This is one System account, that normally is used when the customer sets up, one App, and provides that App a high level permission to run on the SharePoint Site. In this particular case, an App was probably created, or set up, or even for example a workflow and was given an Elevated Permission, on the SharePoint Site, and because of that, the account is shown as the last one that modified the documents. So the customer needs to look for all Apps he has on SharePoint, and see which one has this high level permission. This can be the reason that this account is showing up.” In my case I don't have any additional apps allowed for the documents affected on that site, so I'm sure the statement is inaccurate.

Yeah, I already posted a message about this "problem". According to Mark-Kashman the team is aware of the issue and working on a fix

I've also been talking to Mark. We discussed the issue after it first appeared, then I was told that all was well and a fix was in hand. Cue for sigh of relief... especially when the fix apparently appeared in production and Delve showed what it supposed to show. Then yesterday everything went wrong again... hence the commentary. I like Delve a lot but problems like this make me think that the development team doesn't use their own code for real work. If they did, they would surely have noticed and fixed the issue a long time ago...

The dreaded App@SharePoint user name problem

18 Replies

Hemi610
Copper Contributor
Feb 26, 2025
This is still an issue albeit not in Delve. SharePoint/OneDrive Malware alerts all list mailto:app@SharePoint as the user who uploaded the malware. Our security team are not SharePoint admins and so cannot grant themselves access to the sites, to discover the actual user who uploaded the problem files. So, just figuring out who uploaded malicious files is an all-hands-on-deck affair when it should not be. Why can't I just see who uploaded a file, from the Defender portal?
Ivan54
Bronze Contributor
Jan 16, 2017
I've created a (regular) ticket in Office 365, and this is the response I got:

The Account app@sharepoint is related to the SharePoint Applications (Auditing logs/Virus), it is a system account, belongs to the SharePoint Farms infrastructure, it was created to run on all Site Collections/Personal sites to collect auditing information. When the user provides some changes for his own Site Collection, or enables features or activates the site Auditing logs, his own account does not have the write permissions on the SharePoint Farm and this account it will be used to run and collect all the necessary information to be provided to the customer. Microsoft has set up a few security accounts to run in all Farms, in order for our customer to do some tasks, and get the required information. Also it is necessary for user security, for these accounts to always track the Site Collection searching for viruses that can be uploaded into SharePoint. Microsoft will not change that, all Farms have the same configuration and this same system account, and all Site Collections will use this account if they need to do it.
What Activities Should the customer expect from this account?
From the Customer side nothing will be expected, everything will be running normal, as should be, this account will not affect the Site Collection functionality or personal site, all the information on the Site Collection will be secure, and only the Site Owners and all people who have permissions to the site can see the information inside and share the same. This account can be visible if we create an auditing for our Site Collection or personal site. All private information is safe and, nothing will be collected, as we said before this account only gets information for auditing and looks for possible virus attack.

Not in the slightest a helpful response *sigh* :(
- Ivan54
  Bronze Contributor
  Jan 24, 2017
  no feedback yet from Microsoft Support.
  - TonyRedmond
    MVP
    Jan 24, 2017
    Depressingly the norm for this issue...
- TonyRedmond
  MVP
  Jan 16, 2017
  Well, it is an answer, albeit a poor one. The problem is not that Microsoft has created accounts to take care of some background activity, which is perfectly acceptable and useful. The issue is that the Delve feels compelled to surface the existence of the dreaded app@sharepoint account. I have got to believe that it is within the wits of man and software engineering to filter out this activity... Come on Microsoft, let's fix this lingering irritation!
  - Ivan54
    Bronze Contributor
    Jan 16, 2017
    I've tried to convey the issue again to Microsoft.
    I hope the engineer properly understood the issue, and also the working scenario when searching in delve for the affected documents.
MichaelHolste
Microsoft
Dec 29, 2016
Adding nickrob for visability.
- Ivan54
  Bronze Contributor
  Jan 05, 2017
  We're having the same issues.
Yngvar Mo
Copper Contributor
Dec 21, 2016
The same problem at our site.. Started appearing in Desember

Regrads
Yngvar
jcgonzalezmartin
MVP
Dec 16, 2016
Yeah, I already posted a message about this "problem". According to Mark-Kashman the team is aware of the issue and working on a fix
- TonyRedmond
  MVP
  Dec 17, 2016
  I've also been talking to Mark. We discussed the issue after it first appeared, then I was told that all was well and a fix was in hand. Cue for sigh of relief... especially when the fix apparently appeared in production and Delve showed what it supposed to show. Then yesterday everything went wrong again... hence the commentary.
  
  I like Delve a lot but problems like this make me think that the development team doesn't use their own code for real work. If they did, they would surely have noticed and fixed the issue a long time ago...

Forum Discussion

The dreaded App@SharePoint user name problem

18 Replies

Resources