TargetUser Value for Add-MailboxPermission is Object/User ID instead of User name
Hi, When pulling audit events using the 365 REST API, the Target user value (in bold in the log below) shown in the log is the ObjectID instead of the actual username.
{
"AppAccessContext": {
"IssuedAtTime": "2024-07-17T05:44:57",
"UniqueTokenId": "oZs6oblynUiWSutUGtwEAA"
},
"CreationTime": "2024-07-17T05:52:00",
"Id": "5f7d4442-9e22-4f60-a9f0-08dca6249357",
"Operation": "Add-MailboxPermission",
"OrganizationId": "",
"RecordType": 1,
"ResultStatus": "True",
"UserKey": "user@example.com",
"UserType": 2,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "",
"ObjectId": "Requisitions",
"UserId": "user@example.com",
"AppId": "----",
"AppPoolName": "MSExchangeAdminApiNetCore",
"ClientAppId": "",
"CorrelationID": "",
"ExternalAccess": false,
"OrganizationName": "example.onmicrosoft.com",
"OriginatingServer": "",
"Parameters": [
{
"Name": "Identity",
"Value": "e9ecdrb9-6f6d-474f-ba48-6453156255a7"
},
{
"Name": "User",
"Value": "bd146749-0cf7-4fa1-8309-93458cbf3889"
},
{
"Name": "AccessRights",
"Value": "FullAccess"
},
{
"Name": "InheritanceType",
"Value": "All"
}
],
"RequestId": "",
"SessionId": ""
}
This makes it hard for us to investigate actions and alerts. Is this expected behavior? And is it possible to apply any changes that would show the value as the actual username? Thanks