Forum Discussion

TonyRedmond's avatar
TonyRedmond
MVP
Jun 14, 2018

Understanding External Access to Documents in an Office 365 Tenant (Part 3)

The Office 365 Audit Log holds lots of interesting information about how people share information. In this article, we explore how to use the audit log records to discover the document sharing habits...
SharePoint Online
VasilMichev's avatar
VasilMichev
MVP
Jun 14, 2018

I've got something better for you - check out all the entries for the "Unknown" principal in the Audit log, all of them linked to the SPO appID. I'll give you a hint, all of them are external :)

 

And the scary part - big percentage of those actually show as "Success" logins. And the even scarier part - CAS shows more details about those events than the O365 Audit log. Guess you have to pay more to get more, even when it comes to the detail level of the events in the audit log :)

  • TonyRedmond's avatar
    TonyRedmond
    MVP
    Jun 14, 2018

    The "unknown" user logins reported by Azure Active Directory are interesting because they happen quite often (72 records of 5,000 in a quick test I did against my tenant), but they don't tell you anything about what documents are being shared within a tenant, which was the purpose of this exercise...

     

    In saying this, it's still interesting that Azure AD logs quite so many of these records.

Resources