Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Audit logs - "Denied access request" - What does this mean exactly?

Copper Contributor

I'm in Purview and looking at the filterable activities under Audit and I run across "Denied access request." Looking at the description in the docs, it says "An access request to a site, folder, or document was denied." I think this description is a bit vague and I was wondering if someone can explain which of my understanding is the right one.

I think it either logs:

  • A) A user with insufficient permissions tries to access resource and is greeted by a "You don't have enough permissions" screen. (User attempt is logged?)
  • B) A user with insufficient permissions tries to access resource and is greeted by a "You don't have enough permissions" screen. The user then clicks on the button on the screen to request access. The owner/admin of the resource sees the request then intentionally denies it. (Owner denying is logged? Or User being denied is logged?)
2 Replies
best response confirmed by _Mk_Andrada (Copper Contributor)

Hi @_Mk_Andrada 


This activity refers to option B and logs what user performed the rejection of the access request. You can see who requested access to the file but the user of the activity "denied access request" is the owner of the file that received the notification and hit "decline". 


I ran through this scenario in my lab to confirm when user A, Aaron, opened a file they did not have access to and was greeted by the "no access, request" screen (there is no log of a user seeing this screen) so Aaron requested access (the request is logged as "created access request"). User B, Mike, is the file owner and received the request and hit reject. The results are below.


Created access request:



Denied access request:


Excellent detective work yet again! Thanks Mike!