Audit actions made by SharePoint App Principal in SharePoint Online

Question

I have completed an app registration in the Azure portal, and obtained an Application (client) ID and a secret key from there. Then, I granted this Application ID "Full" access to my SharePoint Online site collection through the link "https://[your_site_url]/_layouts/15/appinv.aspx". This process allowed the App Principal/App Identity (using app ID and secret ) in my SharePoint environment to perform various task such as copying data from the SharePoint Library to Azure storage, deleting files in the SharePoint site and so on.

Now, we are seeking a way to which we can audit all the actions made by the application principal within the site collection or tenant. Is there a way by which I can track and review a logs for this?

Answer 1

Hello @Jim Milagrosa

Thank you for reaching out. I assume you should be able to audit activities made by service principal on SharePoint workload using Microsoft Purview Unified Audit logs.

• You can refer following documentation for steps on how to review Audit logs on Microsoft Purview Portal: Audit New Search, you can also use Microsoft purview to Export audit log records.
• To validate all the activities that are audited by Microsoft Purview you can review following documentation link: Audit log activities.
• To validate what each property on Audited event means please review following documentation link: Detailed properties in the audit log.

I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.