2 thoughts on “Audit trails for records in SharePoint Online

  1. Amazing…. Very useful article.
    I have a quick question.
    Scenario 1: Microsoft Edge is signed in with the work account, Licence E5, Microsoft Edge>>page settings>>layout>>informational.
    Whenever a new page is open Edge shows organisational data including the people users have been in contact with recently, the recent documents found on the OneDrive, attachments from their email and other documents. All the documents displayed in the new Edge page are thumbnails of the actual document.
    When organisation run the compliance report, all file which were automatically picked up by the browser whenever the new page was open are showing as user “Previewed” those files and in some cases around 13 files had same time timestamp.

    Couple of user were suspended because compliance report shows they previewed those files but users were claiming they never open/access them on those dates.

    Scenario 2: exactly the same thing happened like in scenario 1 but when portal.office.com open as default edge page each time new browser instance opens.

    In your article you have explained the difference between Accessed/Preview etc. Would you be able to kindly explain how the user prepare their defence.

    Please find one row from the report

    1. Thank you for the interesting response! I hear this issue (file previewed) with clients on a regular basis. Perhaps one way of explaining this (other than the Microsoft link below is to provide a description of ‘all’ the events for the user activity, not just one in isolation. Once you get the audit logs to ‘tell the full story’ you will see that a LOT of events are recorded, including from opening the site, ‘accessing’ the page/s, ‘accessing’ images that may be on the page and so on. Telling a story in this way may help to show that the end user was simply navigating via the browser and not intentionally or deliberately ‘accessing’ a file to read it. If a thumbnail appeared that was sensitive, then perhaps the original document should be subject to more restrictions so it *doesn’t* appear.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s