Monitor Permission Changes in SPO via Alert Policy (Compliance Center Portal)

Dieter Tontsch (GMail) 937 Reputation points
2022-11-21T17:02:59.393+00:00

My gola ist to try to protect a SPO site, resp. a library as good as possible in terms of access privileges.From what I understand, this isn't quite possible for Global Admins, which per default are also SahrePoint Admins and therefor they are site admins, right? But then at least there might be a chance to get alerted if someone, being a SahrePoint Admin or a regualr user with according privileges, does modify access privileges within SPO. Actually I am more interested ina particular site, but I don't know if this can be achieved per site or even library only. I followed this article https://blog.lsonline.fr/2019/01/24/sharepoint-site-alert-policy/ making use of alert policies (https://compliance.microsoft.com/alertpoliciesv2?). Im my case I created a policy to get alerted on Category Security if Activity is "Shared file, folder or site" which says:

User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detailcolumn for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource.

and condition is like File:Site Collection URL is any of https://tenant-name.sharepoint.com/sites/hr/library-name/*

The point is I'd also like to get alerted if someone, even a global admin does modify permissions from library or site permission settings. Usually normal uses do not have such access, but global admins and site owners do have.

The point is that I don't get any alerts if permissions do change on resp. library, it doesn't even work if I do not add this condition at al, while it should then work on ay SharePont or OneDrive location within our tenant, shouldn't it?

Isn't my approach a valid one, is there any other option, without the use of third-party tools do achieve my goal? Actually I am especially interested in monitoring access modifications performed by Global Administrators, because proper access for regular users can be hardened by assigning them minimal permissions.

kind regards,
Dieter

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,297 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,273 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,897 questions
{count} votes

Accepted answer
  1. Emily Du-MSFT 44,151 Reputation points Microsoft Vendor
    2022-11-22T08:02:55.967+00:00

    @Anonymous

    1.Global administrator is SharePoint administrator but is not every site collection administrator. For item, list and site collection, you could set unique permissions for each level. After setting unique permissions, even though global administrator, cannot access parts without permissions.

    2.For using alert policy, you need to have an E5 license, or an E1 or E3 license with a Microsoft Defender for Office 365 P2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on subscription. Make sure the alert policy status is on and wait for 24 hours after creating or updating an alert policy before alerts can be triggered by the policy.

    Here are screenshots about my alert policy and test results.

    262981-1.png

    262934-2.png

    262947-3.png

    262948-4.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. Dieter Tontsch (GMail) 937 Reputation points
    2022-11-22T09:49:39.643+00:00

    Thanks, your input is vey helpful.
    A Global Admin is not a Site (Collection) Admin, but it is a SharePoint Admin. Therefor he/she can assign himself as a site admin, right? Probably there is nothing one can do about this regarding Global Admins. But, if this alerting would work on my side, would it also alert on such changes, site admin modifications? IN that case of course the URL would need to be https://tenant-name.sharepoint.com/sites/hr/ instead of https://tenant-name.sharepoint.com/sites/hr/library-name/*?

    I did not have necessary licenses assigned, I only had a Microsoft E3. But now I have assigned myself (I am the one who should get the Alert notifications also a Microsoft Defender for Office 365 (Plan 2). I still do not get alerted.

    262936-screenshot-2022-11-22-103040.jpg

    Licenses assigned to Alert Recipient
    263003-lics.jpg

    Do you see any issues with this?

    1. Alert Recipient has Microsoft (not Office E3) + Microsoft Defender for Office 365 (Plan 2)
    2. If someone does permission modifications within https://tenant-name.sharepoint.com/sites/hr/library-name/* the recipient (which is me) does not get an alerting.
    3. you just answered me re. Site collection admin.

    But any idea why this doesn't work for me yet? Is my licensing not enough? I have to admit that the alert policy is in place since yesterday, but my Defender license assignment ist just since one hour. Or is it not about me as a alert recipient, to be licensed accordingly, but the one who does modifications?


  2. Dieter Tontsch (GMail) 937 Reputation points
    2022-12-02T14:57:19.13+00:00

    Hi, for a while it did not work as expected. I couldn't manage to get Permission-based Alert Policies to work in terms of notifications.
    I also contacted the MS Support. They pointed me to Activity Alerst instead of Alert Policies, I don't know the differenc.e
    We cold make it work (ore or less, with huge latency of many hours) to get notified like the following
    * SiteAdminAdded by certain user(s) --> Notify certain user(s) --> this worked somehow, but it's weak, huge latency and no detailed information about the particular activity. this stuff seems deprecated to me, the notifiy email even contains links to protection.office.com which then says it's decommissioned.

    266663-image.png

    Secondly, after a long time I also managed to work with an Alert Policy like this:
    266635-image.png

    The later works much better, but I am now confused why it didn't work before like this:
    266683-image.png

    The only difference is SiteCollectionPermissionAdded vs. SitePermissionModified Maybe it is because of Site collection vs. Site?

    Aned several other combinations also do not work like. Seems to me like a bit of a beta thing.

    0 comments No comments