SOLVED

Onedrive audit log when admin logs into user account - what's expected behaviour?

%3CLINGO-SUB%20id%3D%22lingo-sub-332805%22%20slang%3D%22en-US%22%3EOnedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20should%20I%20see%20in%20the%20audit%20log%20when%20an%20admin%20grants%20themselves%20access%20to%20a%20users%20onedrive%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20go%20to%20the%20security%20and%20compliance%20centre%20and%20use%20the%20investigation%20tab%20to%20look%20at%20activity%20on%20the%20user%20account%20I%20can%20see%20that%20app%40sharepoint%20gave%20themselves%20site%20collection%20access.%20When%20I%20asked%20on%20another%20forum%2C%20a%20different%20admin%20on%20another%20tenant%20sees%20the%20actual%20name%20of%20the%20admin%20who%20accessed%20the%20account.%20I'm%20not%20sure%20what%20the%20majority%20experience%20is%3F%20If%20you%20have%20access%20to%20this%20yammer%20group%20you%20can%20see%20my%20earlier%20thread%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.yammer.com%2Fofficeenterprisenda%2Fthreads%2F1233679128%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.yammer.com%2Fofficeenterprisenda%2Fthreads%2F1233679128%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-332805%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAudit%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352609%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352609%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20correcting%20this%20as%20in%20light%20of%20new%20information.%20After%20another%20look%20at%20this%2C%20I%20can%20in%20fact%20see%20the%20name%20of%20the%20admin%20granting%20themselves%20access.%20I%20don't%20know%20how%20I%20missed%20this%20the%20first%20time%20around%2C%20nor%20how%20my%20colleague%20did%20who%20also%20tested%20it%20for%20me.%20Did%20we%20both%20miss%20it%2C%20or%20did%20MS%20change%20something%3F%20Who%20knows.%3C%2FP%3E%3CP%3EIn%20the%20audit%20log%20under%20more%20information%20there's%20a%20clear%20and%20obvious%20box%20that%20shows%20the%20admin%20name.%20Whilst%20setting%20alerts%20on%20this%20is%20clunky%20because%20it%20comes%20through%20as%20app%40sharepoint%2C%20at%20least%20you%20can%20manually%20investigate%20and%20get%20a%20name.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-334942%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334942%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%2C%20it's%20a%20given%20admin%20that%20pressed%20the%20button%2Flink%2C%20so%20this%20should%20be%20correctly%20reflected%20in%20the%20audit%20log.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-334796%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334796%22%20slang%3D%22en-US%22%3ESo%20I%20got%20a%20reply.%20MS%20tell%20me%20this%20is%20expected%20behaviour.%20App%40sharepoint%20will%20appear%20in%20the%20logs%20unless%20the%20admin%20actions%20a%20change%20in%20a%20file%2C%20then%20the%20audit%20will%20show%20the%20admin's%20details.%20So%2C%20if%20like%20us%2C%20your%20org%20has%20around%2020%20admin%2C%20you%20could%20go%20snooping%2C%20sort-off.%20I%20don't%20think%20that's%20ideal.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-334112%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334112%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20if%20you%20are%20speaking%20internally.%20The%20premium%20support%20ticket%20I%20raised%20is%26nbsp%3B13074261.%20I'll%20let%20you%20know%20what%20comes%20back.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333877%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333877%22%20slang%3D%22en-US%22%3EThat's%20helpful%20thanks.%20I'll%20do%20that%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333602%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333602%22%20slang%3D%22en-US%22%3E%3CP%3ERight%2C%20makes%20sense%20that%20the%20O365%20Admin%20center%20devs%20will%20mess%20things%20up%2C%20as%20usual%20%3A)%3C%2Fimg%3E%20I'm%20guessing%20they%20are%20doing%20some%20behind%20the%20scenes%20mumbo%20jumbo%20that%20ends%20up%20executing%20the%20request%20in%20the%20context%20of%20the%20SPO%20system%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnyway%2C%20best%20way%20to%20report%20this%20is%20via%20the%20Feedback%20page%20on%20the%20O365%20Admin%20center%2C%20or%20via%20support%20case.%20I'll%20see%20if%20I%20can%20find%20anyone%20on%20MS%20side%20to%20ping%20about%20this%20in%20the%20meantime.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333572%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333572%22%20slang%3D%22en-US%22%3EThanks.%20It's%20via%20this%20method%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-333059%22%20slang%3D%22en-US%22%3ERe%3A%20Onedrive%20audit%20log%20when%20admin%20logs%20into%20user%20account%20-%20what's%20expected%20behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-333059%22%20slang%3D%22en-US%22%3E%3CP%3Eapp%40sharepoint%20is%20usually%20some%20background%20process%2C%20it%20should%20not%20be%20displaying%20it%20like%20that%20if%20you%20as%20the%20admin%20explicitly%20granted%20yourself%20permissions.%20So%20the%20question%20is%20how%20did%20you%20grant%20them%20exactly%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20record%2C%20for%20me%20it%20also%20displays%20the%20actual%20user's%20UPN.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi

 

what should I see in the audit log when an admin grants themselves access to a users onedrive account?

 

If I go to the security and compliance centre and use the investigation tab to look at activity on the user account I can see that app@sharepoint gave themselves site collection access. When I asked on another forum, a different admin on another tenant sees the actual name of the admin who accessed the account. I'm not sure what the majority experience is? If you have access to this yammer group you can see my earlier thread - https://www.yammer.com/officeenterprisenda/threads/1233679128

8 Replies
Highlighted

app@sharepoint is usually some background process, it should not be displaying it like that if you as the admin explicitly granted yourself permissions. So the question is how did you grant them exactly?

 

For the record, for me it also displays the actual user's UPN.

Highlighted
Thanks. It's via this method
Highlighted

Right, makes sense that the O365 Admin center devs will mess things up, as usual :) I'm guessing they are doing some behind the scenes mumbo jumbo that ends up executing the request in the context of the SPO system account.

 

Anyway, best way to report this is via the Feedback page on the O365 Admin center, or via support case. I'll see if I can find anyone on MS side to ping about this in the meantime.

Highlighted
That's helpful thanks. I'll do that
Highlighted

Hi, if you are speaking internally. The premium support ticket I raised is 13074261. I'll let you know what comes back.

Highlighted
So I got a reply. MS tell me this is expected behaviour. App@sharepoint will appear in the logs unless the admin actions a change in a file, then the audit will show the admin's details. So, if like us, your org has around 20 admin, you could go snooping, sort-off. I don't think that's ideal.
Highlighted

I agree, it's a given admin that pressed the button/link, so this should be correctly reflected in the audit log.

Highlighted
Best Response confirmed by Darrel Richardson (Frequent Contributor)
Solution

Just correcting this as in light of new information. After another look at this, I can in fact see the name of the admin granting themselves access. I don't know how I missed this the first time around, nor how my colleague did who also tested it for me. Did we both miss it, or did MS change something? Who knows.

In the audit log under more information there's a clear and obvious box that shows the admin name. Whilst setting alerts on this is clunky because it comes through as app@sharepoint, at least you can manually investigate and get a name.