Day 24 - Audit Log Integration
The audit log integration with SharePoint Embedded serves as a crucial tool for tracking and documenting user activity within the environment. It is particularly useful for compliance, security monitoring, and troubleshooting purposes. The integration captures detailed records of actions such as file access, edits, deletions, and sharing events, providing administrators with comprehensive visibility into user interactions. This functionality is essential for maintaining data integrity and ensuring adherence to organizational policies and regulations.
When to use it
Imagine your company faces a data breach, and you're worried that sensitive info might have been accessed or messed with without permission. With SharePoint Embedded's audit logs, your IT security team can dive into the details of what users did with those files. They'll be able to track who accessed, edited, or shared what and when. This detailed view helps pinpoint which user accounts were involved and spot any odd behavior that could suggest insider threats or outside hacks. This information doesn't just help tackle the current issue but also strengthens future data protection and fine-tunes access controls.
How does it work
The first thing we need to do is get the container information that you want to use in the audit log search.? You can get a list of all the containers in your application with this graph command:
GET
https://graph.microsoft.com/beta/storage/fileStorage/containers?$filter=containerTypeId eq {{ContainerTypeId}}
Response:
"value": [
{
"id": "b!OkqqzjCtLk23YdGE1Vho4O_5EYMk3QRNqim1usWvFk5tNHHJRowqSLXzbsw8HYbl",
"displayName": "Project Documents",
"containerTypeId": "ee469b9e-3451-0e71-1384-0fbc70aa001a",
"createdDateTime": "2024-06-13T15:16:15Z",
"lockState": "unlocked",
"viewpoint": {
"effectiveRole": "owner"
},
"settings": {
"isOcrEnabled": false
}
},
When you have found the container you want to use, get the “id” value and then run this command:
GET
https://graph.microsoft.com/v1.0/drives/{{ContainerID}}
Response (Abbreviated):
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives/$entity",
"createdDateTime": "2024-08-18T05:14:52Z",
"description": "The container is configured with metadata for searching.",
"id": "b!CORq-a8orUGIrd3_z9t1_vjCBSeqM3JKhDglEU3DIDvEl-Hms0qoQ7QCWYNQfGOF",
"lastModifiedDateTime": "2025-01-29T12:46:12Z",
"name": "Project Metadata",
"webUrl": "https://<Domain>.sharepoint.com/contentstorage/CSP_f96ae408-28af-41ad-88ad-ddffcfdb75fe/Document%20Library",
"driveType": "other",
"createdBy": {
"user": {
"displayName": "System Account"
}
},
Ultimately what were after is the webUrl value, specifically the container identifier which is https://<DOMAIN>.sharepoint.com/contentstorage/CSP_f96ae408-28af-41ad-88ad-ddffcfdb75fe.
Configure Purview
Now that we have the container information, which is simply a site for this purpose, create a new audit search:
Notes:
Once the job has been completed, you can view the results to include all the activities performed by users:
Microsoft MVP | Global IT Workplace Service Manager | Microsoft 365 Specialist | SharePoint | Technical Blogger
1 周What a great step by step process. I think this clarifies a lot how to use Purview and SharePoint Embedded together. It looks (and it is) very simple and easy to do. Thanks for showing it Steve Pucelik