Microsoft 365 Purview Logs not showing Export List Events
We recently conducted an audit on our system - as we are part of a regulated industry - and had to clarify exactly which user events are captured in the Unified Audit Log. We did the usual confirmations and provided evidence of events where users add, update, delete items in SharePoint Lists and Libraries, however, we were asked specifically if events for exporting List Items to CSV or Excel were captured in the Log. We performed the usual test and waited for the events to appear in Purview, but to our suprise, there was nothing in the Log to indicate a user exporting to CSV or Excel. Can anyone confirm whether Export to CSV or Excel from a SharePoint List should be captured and is reportable in the Audit Log? This seems to be a massive oversight if these events are not auditable?
Unusual Activity for a User
Hi, I have an issue with a user who raised a query that they are having issues syncing files to SharePoint. Whilst I'm investigating this another query came in advising that this same user has been creating folders and uploading documents...... They have confirmed that there account has not been shared and can confirm from the signing in logs on Entra that no suspicious IP address is being used. Anyone have any idea of what is occurring?? I've advised the user to delete any links they have and stop syncing. Regards Chris
Issue with ribbon permissions in Microsoft Project.
I am working on Microsoft Project (EPM) and want to hide the Status button from the ribbon for the Project Manager role. I have already tried adjusting the permissions in PWA settings, but the button is still visible. Could you please suggest an alternative method?
SharePoint Missing Authentication for _vti_bin
The issue with the vti_bin folder is that it is accessible without authentication. However, the remediation measures outlined below are not technically feasible for SharePoint Online (O365). I found few remediations for this issue which are as follows: Configuration Options: Administrators can configure authentication for _vti_bin through various methods, such as: Enabling anonymous access:This allows anyone to access the site and its resources, including _vti_bin URLs, without logging in. Restricting access in Web.config:The Web.config file can be modified to deny access to anonymous users for specific _vti_bin paths. Using the ViewFormPagesLockDown feature:This feature can help restrict access to certain SharePoint resources, including those within _vti_bin The below links are for reference: https://www.c-sharpcorner.com/uploadfile/Roji.Joy/how-to-secure-external-anonymous-access-to-sharepoint-2010-sites/#:~:text=Even%20when%20lockdown%20mode%20is, https://learn.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications https://sharepoint.stackexchange.com/questions/167264/restricting-access-to-contents-in-vti-bin-for-both-authenticated-as-well-as-a I would like to verify whether the provided fixes are applicable to O365 SharePoint. If they are not, could you please advise on alternative solutions that can be implemented to mitigate this issue?
problems with sharepoint subscription edition post updates. psconfig fails.
We are facing 2 issues, but i suspect its related. OS is server 2025. Patches are current. We applied the sharepoint upgrade: KB5002784 yesterday. At that time we discovered psconfig failed to complete. Initially it was due to a problem with the sharepoint admin service. Of note it would not start. I found this to be a problem with windows exploit protection. Exempting the exe associated with the admin service fixed this and the service now starts. PSconfig still fails, its failing at the spcopysidebyside step. of note the sidebyside log that the error references is never created. additionally running the spcopysidebyside powershell script, and specifiying a log file location also results in no log being created. i suspect this may be another windows exploit protection exemption that needs to be created. at this time im not sure what one is required, nor how this is not effecting all installs vs just ours.
Microsoft IPs in audit logs
I'm investigating an incident and noticed that in many instances throughout the audit log, there is a Microsoft IP address associated with the action (in this case the action is "FileAccessed"). I'd like to know if this is some backend process that occurs automatically when using Sharepoint, or if this action originated from a user, but appears as a Microsoft IP due to some interaction with the server/onedrive/other process. Thanks in advance, helping me with this example could help in a lot of other areas of this audit log investigation as well.
VAPT issue raised for CKEditor 4.13.0 Cross-Site Scripting
URL to JS file: https://testsite.com/_layouts/15/16.0.18526.20508/next/spclient/43.sp-canvas-sp-ckeditor-flight.js Associating Common Weakness Enumeration (CWE) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE 79) Evidence(s) Steps to derive Evidence(s) 1. Request to CKEditor File 2. Reponse indicating the version Recommendation(s) Upgrade CKEditor to the latest version 4.25.1-lts for extended support on the package. As this JS file is a part of SharePoint itself, cannot upgrade explicitly. Can anyone share the mitigation or plan to get it fixed except until Microsoft releases an update for same.Automating Permissions
Question Title: Automating Permissions for New Document Libraries in a SharePoint Hub Site Based on a Templated CSV Description: I have a SharePoint hub site for all our projects. For each new project, I need to create a new document library within this hub site. The challenge I'm facing is that each document library needs a specific, templatized folder and permission structure for different departments. My goal is to find an automated solution that, whenever a new project library through template is created, it automatically applies the correct folder structure and permission levels as defined in my template. Are there any other out-of-the-box SharePoint features or Power Automate that can accomplish this?Help! SharePoint is mixing up my document metadata and it's driving me crazy 😅
Hey everyone! I'm hoping someone here has seen this weird issue before because it's starting to really mess with our approval workflows. What's happening (the really frustrating part) So I built this document management system using SharePoint + Power Automate for our approval process. It was working great for months, but now SharePoint has started doing this really weird thing where it's mixing up metadata between different documents. Like, User A uploads a document, but SharePoint says it was uploaded by User B. Or a document from our other office suddenly shows up as being from another country. It's like SharePoint is getting confused and grabbing random metadata from other files! Here's what I'm seeing with the metadata fields: Wrong uploader names - The metadata shows the wrong person uploaded it (but version history is correct) Department mix-ups - Documents are getting tagged with the wrong office/department Date weirdness - Upload dates keep changing on existing documents My setup (in case it matters) SharePoint Online with custom document library Power Automate flows that kick off approval workflows when docs are uploaded Multiple users uploading files throughout the day Custom metadata fields for uploader, department, dates, etc. Since we use these documents for approvals, having wrong metadata is really bad news. Approvals are going to the wrong people, our audit trail is messed up, and people are starting to not trust the system. Has anyone else run into this metadata inheritance/mixing problem? A few specific things I'm curious about: Could this be a content type issue? Like, are multiple content types somehow sharing metadata? Is Power Automate maybe processing things too fast and causing conflicts? Could it be some kind of caching problem in SharePoint? Is this related to users uploading documents at the same time? What I've already tried Checked version history (it's correct there) Looked at my Power Automate flows Had users clear their browser cache Double-checked permissions Really just looking for anyone who's been through something similar! Specifically: What caused it for you? How did you fix it? Any tips to prevent it from happening again? Should I maybe restructure how my document library is set up? This worked perfectly for months and now it's like SharePoint has developed multiple personality disorder with my metadata 🤦♂️ Any ideas or war stories would be super helpful! Thanks in advance! Thanks in advance !
