Forum Discussion

DazzaR's avatar
DazzaR
Steel Contributor
Feb 08, 2019

Onedrive audit log when admin logs into user account - what's expected behaviour?

Hi

 

what should I see in the audit log when an admin grants themselves access to a users onedrive account?

 

If I go to the security and compliance centre and use the investigation tab to look at activity on the user account I can see that app@sharepoint gave themselves site collection access. When I asked on another forum, a different admin on another tenant sees the actual name of the admin who accessed the account. I'm not sure what the majority experience is? If you have access to this yammer group you can see my earlier thread - https://www.yammer.com/officeenterprisenda/threads/1233679128

  • Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.

    In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.

     

     

  • app@sharepoint is usually some background process, it should not be displaying it like that if you as the admin explicitly granted yourself permissions. So the question is how did you grant them exactly?

     

    For the record, for me it also displays the actual user's UPN.

    • DazzaR's avatar
      DazzaR
      Steel Contributor
      Thanks. It's via this method
      • Right, makes sense that the O365 Admin center devs will mess things up, as usual :) I'm guessing they are doing some behind the scenes mumbo jumbo that ends up executing the request in the context of the SPO system account.

         

        Anyway, best way to report this is via the Feedback page on the O365 Admin center, or via support case. I'll see if I can find anyone on MS side to ping about this in the meantime.

Resources