SOLVED

Audit Log Search unaccurate info on SharingPolicyChanged - UserIDs app@sharepoint

%3CLINGO-SUB%20id%3D%22lingo-sub-154227%22%20slang%3D%22en-US%22%3EAudit%20Log%20Search%20unaccurate%20info%20on%20SharingPolicyChanged%20-%20UserIDs%20app%40sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154227%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20client%20wants%20to%20receive%26nbsp%3Ban%20Alert%20when%20some%20admin%20changes%20the%26nbsp%3BSharing%20Policy%20of%20a%20Site%20Collection.%20So%20we%20went%20to%20search%20the%20Audit%20Logs%20in%20S%26amp%3BC%20for%20%22Site%20administration%20activities%20-%26gt%3B%20Changed%20a%20sharing%20policy%22%2C%20and%20performed%20a%20test%20search.%20It%20returned%20the%20audited%20events%20but%2C%20to%20my%20surprise%2C%20the%20UserId%20is%20%22app%40SharePoint%22%2C%20so%20we%20are%20not%20able%20to%20identify%20the%20Admin%20who%20performed%20the%20action.%20We%20tried%20with%20Powershell%20Search-UnifiedAuditLog%20with%20same%20results.%20Also%2C%20we%20tried%20to%20find%20logs%20in%20Azure%20AD%20activity%20logs%2C%20but%20no%20entry%20for%20Changed%20a%20sharing%20policy%20or%20similar.%20We%20also%20checked%20Get-MsolUser%20with%20the%20ID%20thrown%20by%20the%20event%2C%20with%20no%20success.%3C%2FP%3E%0A%3CP%3EIt%20would%20be%20great%20to%20have%20this%20adjusted%3C%2FP%3E%0A%3CPRE%3ESearch-UnifiedAuditLog%20-StartDate%20(Get-Date).AddDays(-2)%20-EndDate%20(Get-Date)%20-Operations%20SharingPolicyChanged%20-SessionCommand%20ReturnLargeSet%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28259i3560E603F1820327%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22SharingPolicy2.jpg%22%20title%3D%22SharingPolicy2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F28260i5EB27E2DFADDE7B7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SharingPolicy.jpg%22%20title%3D%22SharingPolicy.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154436%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Search%20unaccurate%20info%20on%20SharingPolicyChanged%20-%20UserIDs%20app%40sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154436%22%20slang%3D%22en-US%22%3Ewill%20try%20that%2C%20but%20at%20this%20point%20my%20client%20is%20a%20little%20dissapointed%20with%20S%26amp%3BC%20Alerts%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154423%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Search%20unaccurate%20info%20on%20SharingPolicyChanged%20-%20UserIDs%20app%40sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154423%22%20slang%3D%22en-US%22%3EMmm...have%20you%20tried%20to%20query%20the%20SPO%20Change%20Log%20to%20see%20if%20you%20get%20more%20useful%20information%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154418%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Search%20unaccurate%20info%20on%20SharingPolicyChanged%20-%20UserIDs%20app%40sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154418%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed.%20And%20there%20are%20other%20events%20generating%20similar%20entries.%20For%20example%2C%20the%20eDiscovery%20functionalities.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

My client wants to receive an Alert when some admin changes the Sharing Policy of a Site Collection. So we went to search the Audit Logs in S&C for "Site administration activities -> Changed a sharing policy", and performed a test search. It returned the audited events but, to my surprise, the UserId is "app@SharePoint", so we are not able to identify the Admin who performed the action. We tried with Powershell Search-UnifiedAuditLog with same results. Also, we tried to find logs in Azure AD activity logs, but no entry for Changed a sharing policy or similar. We also checked Get-MsolUser with the ID thrown by the event, with no success.

It would be great to have this adjusted

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -Operations SharingPolicyChanged -SessionCommand ReturnLargeSet

SharingPolicy2.jpg

SharingPolicy.jpg

3 Replies

Agreed. And there are other events generating similar entries. For example, the eDiscovery functionalities.

best response confirmed by Pablo R. Ortiz (Regular Contributor)
Solution
Mmm...have you tried to query the SPO Change Log to see if you get more useful information?
will try that, but at this point my client is a little dissapointed with S&C Alerts