Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Audit logs - "Denied access request" - What does this mean exactly?

Copper Contributor

I'm in Purview and looking at the filterable activities under Audit and I run across "Denied access request." Looking at the description in the docs, it says "An access request to a site, folder, or document was denied." I think this description is a bit vague and I was wondering if someone can explain which of my understanding is the right one.

I think it either logs:

  • A) A user with insufficient permissions tries to access resource and is greeted by a "You don't have enough permissions" screen. (User attempt is logged?)
  • B) A user with insufficient permissions tries to access resource and is greeted by a "You don't have enough permissions" screen. The user then clicks on the button on the screen to request access. The owner/admin of the resource sees the request then intentionally denies it. (Owner denying is logged? Or User being denied is logged?)
2 Replies
best response confirmed by _Mk_Andrada (Copper Contributor)
Solution

Hi @_Mk_Andrada 

 

This activity refers to option B and logs what user performed the rejection of the access request. You can see who requested access to the file but the user of the activity "denied access request" is the owner of the file that received the notification and hit "decline". 

 

I ran through this scenario in my lab to confirm when user A, Aaron, opened a file they did not have access to and was greeted by the "no access, request" screen (there is no log of a user seeing this screen) so Aaron requested access (the request is logged as "created access request"). User B, Mike, is the file owner and received the request and hit reject. The results are below.

 

Created access request:

miller34mike_1-1687256137849.png

 

Denied access request:

miller34mike_0-1687255716756.png

Excellent detective work yet again! Thanks Mike!
1 best response

Accepted Solutions
best response confirmed by _Mk_Andrada (Copper Contributor)
Solution

Hi @_Mk_Andrada 

 

This activity refers to option B and logs what user performed the rejection of the access request. You can see who requested access to the file but the user of the activity "denied access request" is the owner of the file that received the notification and hit "decline". 

 

I ran through this scenario in my lab to confirm when user A, Aaron, opened a file they did not have access to and was greeted by the "no access, request" screen (there is no log of a user seeing this screen) so Aaron requested access (the request is logged as "created access request"). User B, Mike, is the file owner and received the request and hit reject. The results are below.

 

Created access request:

miller34mike_1-1687256137849.png

 

Denied access request:

miller34mike_0-1687255716756.png

View solution in original post