Forum Discussion
Understanding External Access to Documents in an Office 365 Tenant (Part 3)
The Office 365 Audit Log holds lots of interesting information about how people share information. In this article, we explore how to use the audit log records to discover the document sharing habits of users, including the documents shared with guest users and people outside the tenant.
https://www.petri.com/external-access-documents-office-365-part-3
I've got something better for you - check out all the entries for the "Unknown" principal in the Audit log, all of them linked to the SPO appID. I'll give you a hint, all of them are external :)
And the scary part - big percentage of those actually show as "Success" logins. And the even scarier part - CAS shows more details about those events than the O365 Audit log. Guess you have to pay more to get more, even when it comes to the detail level of the events in the audit log :)
The "unknown" user logins reported by Azure Active Directory are interesting because they happen quite often (72 records of 5,000 in a quick test I did against my tenant), but they don't tell you anything about what documents are being shared within a tenant, which was the purpose of this exercise...
In saying this, it's still interesting that Azure AD logs quite so many of these records.
