User activity audit logs?

[FreeFree13]

Hello Yvan,

We are using EntraCP to authenticate against our Sharepoint on premise infrastrucure and would like to retrieve some logs to address few use cases, per example:

_Detect big amount of data transfer / deletion
_Sharepoint access outside business hours
…

In all these use case, we need to identify users who initiate such actions.

However, since we configured federation with Entra CP for user authentication, we cannot clearly identify users in native SharePoint audit logs or ULS logs.
All we can see is a number or ID rather than username or UPN, this even cannot be translated because it doesn’t correspond to AAD user GUID.

Do you have any idea on how we can identify users in SharePoint logs when using EntraCP solution ?

Thank you so much in advance.

Best regards
Brian

[Yvand]

Hello Brian, EntraCP (or any claims provider for trusted auth) does not decide/control/change what the user identifier is.
The user identifier is set by the token issuer (Entra ID) and consumed by SharePoint.

Regarding the audit of the requests, did you consider to parse the IIS logs and use the field cs-username to get the user identity?