M365 Audit Logs - what triggers FileAccessed

Question

M365 Audit Logs - what triggers FileAccessed

Anonymous

I've noticed recently when performing a search of the Audit logs that a number of users have "FileAccessed" against their name, even though they never opened the specified file in SharePoint. We even had a case where one had "FileDownloaded" was reported but the user swore that they never downloaded the file (and didn't have a reason to lie).

Does anyone know the activities in SharePoint that can trigger either of those to appear in the Audit Logs ... other than just opening or downloading the file? For example, does only opening the folder that contains the files then report that the users accessed each file? Does selecting the file (which then opens the preview and file properties) trigger it? etc

Microsoft's documentation on this is very basic. Even my testing has returned some sporadic results.

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

8 answers

Answer 1

If anyone is still interested in this topic......
I have just spent a day, methodically doing actions in SharePoint, and then reconciling those actions in the Audit Logs.

It is clear that heaps of different actions will trigger FileAcessed and FilePreviewed in the Audit Logs. It has little to do with a user intentionally opening, or previewing a file.

For example - actions that trigger FileAcessed and FilePreviewed included doing a SP search. All the files displayed in the Search result page will trigger the audit. Also if you hover over a search result to quickly view it. Also if you display files in Thumbnail view this will trigger FileAcessed and FilePreviewed for all the files. Also if you are in normal All Documents view and hover over a document. And many other scenarios will trigger the Audit Log.

My test showed that although I only opened 3 files, I had 94 SharePointFileOperation actions recorded in Audit Log against my name (mostly FileAcessed and FilePreviewed actions). Many, many files were listed in the log, that I did not click on, preview, or look at in any other way.

This is disappointing for any Admins trying to investigate a user inappropriately and deliberately searching and looking at files. There appears no way to distinguish a user accessing and previewing versus the "system" accessing and previewing files.

Answer 2

Anonymous

Hi DWahry,

I've encountered a similar scenario and am curious if your support ticket gave additional details regarding this issue.

I would appreciate if you can share the Microsoft support stance on this.

Thanks

0 comments

Answer 3

Dear DWahry,

Thanks for posing back and we hope the Online Support team can help investigate and resolve the queries in Audit log from backend service with you soon.

At the same time, we will also keep this thread open, so other Community members and Experts can also share their suggestions and inputs.

Best Regards,

Rhoda

Answer 4

Anonymous

Thank you for the response, Rhoda. I have a support request in regarding this but just thought I would check if anyone in the community had any further insight while I wait.

0 comments

Answer 5

Dear DWahry,

Greetings! Thank you for posting to Microsoft Community. We are happy to help you.

As per your description, it seems that you are having issue with M365 audit logs, need confirmation on what triggers FileAccessed, and have concern that one had "FileDownloaded" was reported but the user swore that they never downloaded the file.

If the understanding above is right, we've done a lot of searches on our side, however, we can only find a basic description about the FileAccessed log in below official article. Given this situation, as forum support, we may not have enough permission and resources to give out the conclusion if "other activities in SharePoint that can trigger either of those to appear in the Audit Logs". Sorry for the inconvenience caused.

For your reference: Audit log activities | Microsoft Learn

Considering that you've mentioned that "a number of users have "FileAccessed" against their name, even though they never opened the specified file in SharePoint. We even had a case where one had "FileDownloaded" was reported but the user swore that they never downloaded the file (and didn't have a reason to lie).", we're afraid issue need to be checked from backend service to help you better. As forum support, we may not have enough permission and resource to directly check the backend environment, more resources need to be involved in to help you further.

For you to be assisted properly, we sincerely recommend you contact your Microsoft 365 administrator, follow steps in below official article to create a support ticket with Online Support. The support team over there has higher permission than us, they can remotely help check the situation on your side, involve more resource to collect logs and help you do analyze. They can also involve more resources to investigate and confirm the scenario for the audit logs with you.

For reference: Get support - Microsoft 365 admin | Microsoft Docs, please select online support or phone support to have a live chat with the support engineers.  This is the most efficient way for handling this case as per the situation.

About how to find the admin in your organization, you can refer to How do I find my Office 365 admin 

Your understanding and cooperation are highly appreciated. Thank you for your precious time. Have a nice day!

Sincerely,

Rhoda | Microsoft Community Moderator

Share via

M365 Audit Logs - what triggers FileAccessed

8 answers