This post will be an ongoing adventure into using Microsoft Purview to audit, track, review, and learn about updates to objects within the Power Platform. My adventure into this tool was prompted by my in-house security teams asking if I could help identify if a specific SharePoint list had been viewed and who viewed it. In SharePoint on-prem, this sort of info could be mined in a site, but with SharePoint Online, the auditing is offloaded to Purview.
To kick things off, I will run a report to see who has accessed my SharePoint Dev site this week. From the audit page, you can set a date range for your search and select activities like deleting a file or adding someone to a group; for the file, folder, or site box, you enter the site you want to target. Last but not least is the user’s box; this one is self-explanatory.
Search results are ready for viewing:
The results show that a user created a list item and then viewed the list a few times.
The audit logs are held for ~90 days; outside variables can impact this. Here is a warning if you try to search for items older than 90 days:
Audit log retention policies might impact search results. Activities that happened over 90 days ago will only show up in results for users who have licensing for long-term audit log retention.
That’s it for now; as you can see, this tool can be extremely valuable, especially when dealing with audits or if data magically goes missing.
Future updates to this article will show how to track changes to SharePoint lists, dataverse objects, Power BI, Power Automate (Flow), and more!
URL to access the compliance center / Purview: https://compliance.microsoft.com/auditlogsearch
Here is a new post showing how to search a single library in SharePoint:
https://www.sharepointed.com/2024/03/sharepoint-audit-using-purview/