Feb 09 2018 02:03 AM
My client wants to receive an Alert when some admin changes the Sharing Policy of a Site Collection. So we went to search the Audit Logs in S&C for "Site administration activities -> Changed a sharing policy", and performed a test search. It returned the audited events but, to my surprise, the UserId is "app@SharePoint", so we are not able to identify the Admin who performed the action. We tried with Powershell Search-UnifiedAuditLog with same results. Also, we tried to find logs in Azure AD activity logs, but no entry for Changed a sharing policy or similar. We also checked Get-MsolUser with the ID thrown by the event, with no success.
It would be great to have this adjusted
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -Operations SharingPolicyChanged -SessionCommand ReturnLargeSet
Feb 09 2018 10:39 AM
Agreed. And there are other events generating similar entries. For example, the eDiscovery functionalities.
Feb 09 2018 10:44 AM
SolutionFeb 09 2018 11:14 AM
Feb 09 2018 10:44 AM
Solution