SharePoint Management Shell/Central Administration Auditing
Currently, when an administrator performs an action in the Management Shell/Central Administration, most of the data regarding who and what action took place is not recorded. This makes auditing impossible when there are multiple administrators managing the farm. I would propose putting auditing controls in for the SharePoint Management Shell and Central Administration, to record who and what changes were made.
Thanks for your feedback! Your idea sounds interesting, but we need more information to understand. Can you tell us more about how you would like to use this feature?
Is your primary intent to use these logs for reporting and for troubleshooting? Will collection and centralization of these logs in a DB, such as the usage DB, provide the functionality that you seek (if these logs contain data of who performed the action, what the action is, what the target of the action, and when the timestamp of the action is)? How important is having a UX, in addition to the centralized log location, on a scale from 1-5 (1 being least important, 2 being somewhat important, 3 being neutral, 4 being important, 5 being not important)?
examples expecting in audit log
- SPO tenant setting changes
- site creation, deletion, rename
- enable /disable sharing on sites (it takes more as 4 days prio A case to find when happen)
- change , add primary,secondary site admin
- enable,disable scripting
- mange hub site tasks
- quota changes
Some information are in the compliance center audit log where a SPO admin has no access in some companies.
Trevor Seward commented
Anonymous... :) I've had extensive conversations with the PG directly on this topic; don't worry, they do fully understand the request. It's a complicated solution and goes above and beyond 'just implement some logging'.
Guys, the request is not that hard to understand... Obviously it would be for auditing purposes, and just make it easy to use and find! 9_9
This is rolling out. Please update: https://blogs.office.com/2016/11/08/feature-pack-1-for-sharepoint-server-2016-now-available/
Star D. commented
Extending this to other areas of O365 Admin would be great too.
Star D. commented
Just want to add that I too agree with Trevor, as well the points brought up by Tony, Daniel, Dean, Rajkumar and Thuan.
Tony Rockwell commented
Compliance for many organizations is getting huge, and with that comes auditing. Why allow auditing of user actions and NOT provide easy auditing of Administrator actions? This just makes sense from a business perspective. Trevor points out exactly what everyone needs: "I want is to be able to tell which administrator took such an action against an object in order to place responsibility with that administrator."
I agree with Trevor. With the power that Central Administration wields, it would be great to be able to surface an audit of who made what change and when. I for one, would also love having it surfaced in the UI, so consider my vote to be VERY important (which you don't have but maybe is a 5?)
Trevor Seward commented
The idea would be to audit actions taken place on SharePoint objects, similar to the AuditLog/EventCache we have today, but more detailed. If I ran '$wa = Get-SPWebApplication https://webAppUrl;$wa.AlertsEnabled = $true;$wa.Update()`, I would want that string recorded to a log with a date/timestamp and username attached to it and if the command encountered an error or not. This would go to a queryable database (through the OM or T-SQL); such a structure could be simply a datetime: occurred on, nvarchar(255): username, nvarchar(MAX): action/cmdlet/script run, bit: success/error during cmdlet execution, uniqueidentifier: CorrelationId, if applicable. UX would be the least important (1), I'd be happy with a CSV export from a Get-SPAdminActionLog. Centralized Log location would be a must (5). If there is an option to clear the log, then much like the Windows Event Log, I would want that to be the first action recorded with the administrator's name attached to it. Ultimately, what I want is to be able to tell which administrator took such an action against an object in order to place responsibility with that administrator. Right now, I simply cannot do that with ease, or at all depending on the scenario. SharePoint Insights will not always be appropriate for this -- this needs to be available on farms that do not have any sort of Internet access or for companies who do not have O365 Subscriptions.
Dean Gross commented
This is needed in SPO also
Rajkumar Yeldurthi commented
I do support this idea, nice to have it OOB.
Agree with Trevor.. :)
Daniel C. Kline commented
Absolutely. SharePoint is big enough that I frequently am overdrawn at the memory bank. A little augmented memory would be awesome.
Sai Vamsy Palakollu commented
Thuan Ng commented
Totally agreed with Trevor. In enterprises especially who outsource IT resource, there are many people touching one farm even we have governance plan. It's much better to have an auditing feature that capture changes made in SharePoint admin content database and configuration.
Roger Cormier commented
I have several customers who are jumping through hoops to artificially add this functionality to SharePoint 2013. It's a very common ask.