Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,217 questions
What level of M365/EntraID/Azure auditing is needed to unequivocally determine user activity
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Shawn Goodwin
156
Reputation points
My company has an Entra ID P1 license. We have a couple hundred M365 Business Premium users and a handful of E5 users. We've learned some of the auditing is vague at best. Recently, while investigating user activity through the Unified Audit Portal in MS Defender, we found a lot of SharePoint FileAccessed and FilePreviewed actions for a user who should not have access to those artifacts. Digging much deeper we learned the user never actually accessed any of those files and that those events were triggered by browser prefetching and page loading. The Microsoft Audit Log Activities documentation, https://video2.skills-academy.com/en-us/purview/audit-log-activities#frequently-asked-questions-about-fileaccessed-and-filepreviewed-events, says:
Are there scenarios where a user previewing a document generates FileAccessed events? Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.
Essentially, the FilePreviewed and FileAccessed events are not positive indicators of definitive user activity. Are there other audit options in the Microsoft ecosystem that can be used to positively determine definitive user activity??
Thank you for your time.
edit: grammar
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 36,151 Reputation points Microsoft Employee2024-04-01T23:09:16.31+00:00 Hi @Shawn Goodwin , when you say positively determine user activity, could you clarify if you are only asking about the FilePreviewed and FileAccessed events, or all audits in general?
-
Shawn Goodwin 156 Reputation points
2024-04-02T14:04:23.1766667+00:00 Thank you for your reply. That's a good question. I am more interested in the ability to positively determine user activity, with or without the FilePreviewed and/or FileAccessed events. If the audit log says a user "accessed" a file, that should mean that the user intentionally opened the file. Currently, that assertion cannot be made using FileAccessed and FilePreviewed events.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 17%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
K-Mohammed 75 Reputation points Microsoft Employee2024-07-03T13:25:38.3033333+00:00 Hi Shawn,
I'm unsure if you're still experiencing this issue, however if you are, based on this documentation the event might have been logged as a result of browser prefetch. While these events are intended to align with preview or access intention, the event distinction isn't a guarantee of the user's intent. Additionally, you can try to use the filter 'PagePrefetched' to remove the prefetched audit logs.
For more details, check out this doc: https://video2.skills-academy.com/en-us/purview/audit-log-activitiesLet us know if you have any further follow up question.
Sign in to comment