Feb 08 2019 12:32 AM
Feb 08 2019 12:32 AM
what should I see in the audit log when an admin grants themselves access to a users onedrive account?
If I go to the security and compliance centre and use the investigation tab to look at activity on the user account I can see that app@sharepoint gave themselves site collection access. When I asked on another forum, a different admin on another tenant sees the actual name of the admin who accessed the account. I'm not sure what the majority experience is? If you have access to this yammer group you can see my earlier thread - https://www.yammer.com/officeenterprisenda/threads/1233679128
Feb 08 2019 09:58 AM
app@sharepoint is usually some background process, it should not be displaying it like that if you as the admin explicitly granted yourself permissions. So the question is how did you grant them exactly?
For the record, for me it also displays the actual user's UPN.
Feb 09 2019 10:00 AM
Right, makes sense that the O365 Admin center devs will mess things up, as usual :) I'm guessing they are doing some behind the scenes mumbo jumbo that ends up executing the request in the context of the SPO system account.
Anyway, best way to report this is via the Feedback page on the O365 Admin center, or via support case. I'll see if I can find anyone on MS side to ping about this in the meantime.
Feb 11 2019 12:52 AM
Hi, if you are speaking internally. The premium support ticket I raised is 13074261. I'll let you know what comes back.
Feb 11 2019 02:39 PM
Feb 11 2019 11:33 PM
I agree, it's a given admin that pressed the button/link, so this should be correctly reflected in the audit log.
Feb 18 2019 07:57 AMSolution
Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.
In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.