Interpreting audit logs

Question

So in human terms, what does all this mean?

<roleid>xxxx41827</roleid>

<principalid>xxx84</principalid>

<scope>xxxxxxx-B2EC-4E43-9E09-7B3A545F5DDC</scope>

<operation>ensure added</operation>

And where is it documented in a way a mere mortal can understand?

Answer 1

Hi Webbrewers3,

There is no out of box feature to map those IDs to the corresponding users/groups/permissions or any documentation describing the relationship between them.  As there’s no official document on how to interpret the result, I’ll suggest you provide your feedback in SharePoint Uservoice.

If you still want to know about the numeric values, please provide your tenant information to proceed further.

Regards,

Neha

Answer 2

"There is no out of box feature to map those IDs to the corresponding users/groups/permissions or any documentation describing the relationship between them. "

So what you're saying is the audit logs are basically useless?

Answer 3

Hi Webbrewers3,

If you still need help. please provide you tenant information requested in PM.

Regards,

Neha

Answer 4

Yeah, I can google for the answers you copy/pasted here too.  Doesn't help much though because the values are all numeric and there's no way to translate them. Hard to believe Msft seriously thinks this is a useful approach to an audit log?  Since as usual we have to do everything ourselves, where is the official documentation on how to interpret the results?

Answer 5

Hi Webbrewers3,

The following are the meanings of the terms you mentioned:

Role: The role that the user was given permissions to

Note that roleId can sometimes be also -1, which seems to be the case if a user’s permissions were removed. I am not 100% sure on this...

Principle ID: It’s an integer generated by SharePoint internally and it can either represent a user or a group.

Scope: Is the scope where this change is effective.

Operation: Weather permissions were granted or removed

Reference: How to understand the audit log 

Thanks,

Neha