Microsoft 365 Purview Logs not showing Export List Events
We recently conducted an audit on our system - as we are part of a regulated industry - and had to clarify exactly which user events are captured in the Unified Audit Log. We did the usual confirmations and provided evidence of events where users add, update, delete items in SharePoint Lists and Libraries, however, we were asked specifically if events for exporting List Items to CSV or Excel were captured in the Log. We performed the usual test and waited for the events to appear in Purview, but to our suprise, there was nothing in the Log to indicate a user exporting to CSV or Excel. Can anyone confirm whether Export to CSV or Excel from a SharePoint List should be captured and is reportable in the Audit Log? This seems to be a massive oversight if these events are not auditable?
Add items Permission level
Hi, I'd like to know a way to set permissions on a list so that users in the SharePoint site - Members group can't see existing items in the list that don't have unique permissions assigned. They can only add new items in this list. Once an item is created, a workflow would be triggered that would add a unique permission only for that item. The problem is that when creating a Permission Level with only the ability to add items, the user loses access to the custom item creation form.Sharepoint deleting data and sites
Hello, We have noticed an issue that started about a year ago in which data is being deleted in Sharepoint. When looking at this data in the Recycle bin, it will show it was modified/deleted by specific Users but these user deny ever doing such a thing. It is at the point in which we believe the Sharepoint system itself is actually deleting data possibly due to a bug. It would be odd for the employees tagged in the Modified By field to have deleted it. Our data is backed up so recovering any deleted items isn't the issue. The issue is that we are trying to get Microsoft to investigate. We have submitted tickets through the MS 365 portal but they state they only work on break/fix issues. Any recommendations? I can see searching the internet this issue has come up for many others in the past.
Unusual Activity for a User
Hi, I have an issue with a user who raised a query that they are having issues syncing files to SharePoint. Whilst I'm investigating this another query came in advising that this same user has been creating folders and uploading documents...... They have confirmed that there account has not been shared and can confirm from the signing in logs on Entra that no suspicious IP address is being used. Anyone have any idea of what is occurring?? I've advised the user to delete any links they have and stop syncing. Regards Chris
Issue with ribbon permissions in Microsoft Project.
I am working on Microsoft Project (EPM) and want to hide the Status button from the ribbon for the Project Manager role. I have already tried adjusting the permissions in PWA settings, but the button is still visible. Could you please suggest an alternative method?
SharePoint Missing Authentication for _vti_bin
The issue with the vti_bin folder is that it is accessible without authentication. However, the remediation measures outlined below are not technically feasible for SharePoint Online (O365). I found few remediations for this issue which are as follows: Configuration Options: Administrators can configure authentication for _vti_bin through various methods, such as: Enabling anonymous access:This allows anyone to access the site and its resources, including _vti_bin URLs, without logging in. Restricting access in Web.config:The Web.config file can be modified to deny access to anonymous users for specific _vti_bin paths. Using the ViewFormPagesLockDown feature:This feature can help restrict access to certain SharePoint resources, including those within _vti_bin The below links are for reference: https://www.c-sharpcorner.com/uploadfile/Roji.Joy/how-to-secure-external-anonymous-access-to-sharepoint-2010-sites/#:~:text=Even%20when%20lockdown%20mode%20is, https://learn.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications https://sharepoint.stackexchange.com/questions/167264/restricting-access-to-contents-in-vti-bin-for-both-authenticated-as-well-as-a I would like to verify whether the provided fixes are applicable to O365 SharePoint. If they are not, could you please advise on alternative solutions that can be implemented to mitigate this issue?
problems with sharepoint subscription edition post updates. psconfig fails.
We are facing 2 issues, but i suspect its related. OS is server 2025. Patches are current. We applied the sharepoint upgrade: KB5002784 yesterday. At that time we discovered psconfig failed to complete. Initially it was due to a problem with the sharepoint admin service. Of note it would not start. I found this to be a problem with windows exploit protection. Exempting the exe associated with the admin service fixed this and the service now starts. PSconfig still fails, its failing at the spcopysidebyside step. of note the sidebyside log that the error references is never created. additionally running the spcopysidebyside powershell script, and specifiying a log file location also results in no log being created. i suspect this may be another windows exploit protection exemption that needs to be created. at this time im not sure what one is required, nor how this is not effecting all installs vs just ours.
Microsoft IPs in audit logs
I'm investigating an incident and noticed that in many instances throughout the audit log, there is a Microsoft IP address associated with the action (in this case the action is "FileAccessed"). I'd like to know if this is some backend process that occurs automatically when using Sharepoint, or if this action originated from a user, but appears as a Microsoft IP due to some interaction with the server/onedrive/other process. Thanks in advance, helping me with this example could help in a lot of other areas of this audit log investigation as well.
VAPT issue raised for CKEditor 4.13.0 Cross-Site Scripting
URL to JS file: https://testsite.com/_layouts/15/16.0.18526.20508/next/spclient/43.sp-canvas-sp-ckeditor-flight.js Associating Common Weakness Enumeration (CWE) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE 79) Evidence(s) Steps to derive Evidence(s) 1. Request to CKEditor File 2. Reponse indicating the version Recommendation(s) Upgrade CKEditor to the latest version 4.25.1-lts for extended support on the package. As this JS file is a part of SharePoint itself, cannot upgrade explicitly. Can anyone share the mitigation or plan to get it fixed except until Microsoft releases an update for same.
