cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Onedrive audit log when admin logs into user account - what's expected behaviour?

DazzaR
Iron Contributor

‎Feb 08 2019 12:32 AM

‎Feb 08 2019 12:32 AM

Onedrive audit log when admin logs into user account - what's expected behaviour?

Hi

 

what should I see in the audit log when an admin grants themselves access to a users onedrive account?

 

If I go to the security and compliance centre and use the investigation tab to look at activity on the user account I can see that app@sharepoint gave themselves site collection access. When I asked on another forum, a different admin on another tenant sees the actual name of the admin who accessed the account. I'm not sure what the majority experience is? If you have access to this yammer group you can see my earlier thread - https://www.yammer.com/officeenterprisenda/threads/1233679128

5,359 Views
0 Likes
8 Replies
Reply
8 Replies
Vasil Michev

‎Feb 08 2019 09:58 AM

‎Feb 08 2019 09:58 AM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

app@sharepoint is usually some background process, it should not be displaying it like that if you as the admin explicitly granted yourself permissions. So the question is how did you grant them exactly?

 

For the record, for me it also displays the actual user's UPN.

0 Likes
Reply
DazzaR

‎Feb 09 2019 06:18 AM

‎Feb 09 2019 06:18 AM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

Thanks. It's via this method
Preview file
131 KB
0 Likes
Reply
Vasil Michev

‎Feb 09 2019 10:00 AM

‎Feb 09 2019 10:00 AM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

Right, makes sense that the O365 Admin center devs will mess things up, as usual :) I'm guessing they are doing some behind the scenes mumbo jumbo that ends up executing the request in the context of the SPO system account.

 

Anyway, best way to report this is via the Feedback page on the O365 Admin center, or via support case. I'll see if I can find anyone on MS side to ping about this in the meantime.

0 Likes
Reply
DazzaR

‎Feb 10 2019 07:47 AM

‎Feb 10 2019 07:47 AM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

That's helpful thanks. I'll do that
0 Likes
Reply
DazzaR

‎Feb 11 2019 12:52 AM

‎Feb 11 2019 12:52 AM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

Hi, if you are speaking internally. The premium support ticket I raised is 13074261. I'll let you know what comes back.

0 Likes
Reply
DazzaR

‎Feb 11 2019 02:39 PM

‎Feb 11 2019 02:39 PM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

So I got a reply. MS tell me this is expected behaviour. App@sharepoint will appear in the logs unless the admin actions a change in a file, then the audit will show the admin's details. So, if like us, your org has around 20 admin, you could go snooping, sort-off. I don't think that's ideal.
1 Like
Reply
Vasil Michev

‎Feb 11 2019 11:33 PM

‎Feb 11 2019 11:33 PM

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

I agree, it's a given admin that pressed the button/link, so this should be correctly reflected in the audit log.

0 Likes
Reply
best response confirmed by DazzaR (Iron Contributor)
DazzaR

‎Feb 18 2019 07:57 AM

‎Feb 18 2019 07:57 AM

Solution

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.

In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.

 

 

Preview file
16 KB
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by DazzaR (Iron Contributor)
DazzaR

‎Feb 18 2019 07:57 AM

‎Feb 18 2019 07:57 AM

Solution

Re: Onedrive audit log when admin logs into user account - what's expected behaviour?

Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.

In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.

 

 

View solution in original post

Preview file
16 KB
0 Likes
Reply