Forum Discussion
Onedrive audit log when admin logs into user account - what's expected behaviour?
Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.
In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.
app@sharepoint is usually some background process, it should not be displaying it like that if you as the admin explicitly granted yourself permissions. So the question is how did you grant them exactly?
For the record, for me it also displays the actual user's UPN.
Right, makes sense that the O365 Admin center devs will mess things up, as usual :) I'm guessing they are doing some behind the scenes mumbo jumbo that ends up executing the request in the context of the SPO system account.
Anyway, best way to report this is via the Feedback page on the O365 Admin center, or via support case. I'll see if I can find anyone on MS side to ping about this in the meantime.
- So I got a reply. MS tell me this is expected behaviour. App@sharepoint will appear in the logs unless the admin actions a change in a file, then the audit will show the admin's details. So, if like us, your org has around 20 admin, you could go snooping, sort-off. I don't think that's ideal.
Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.
In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.
Hi, if you are speaking internally. The premium support ticket I raised is 13074261. I'll let you know what comes back.
- That's helpful thanks. I'll do that