FAQs
Does Insync use the “app@Sharepoint” user in M365/SharePoint online?
Yes.
Explanation :
In audit records for some file activities (and other SharePoint-related activities), you may notice the user who performed the activity (identified in the User and UserId fields) is app@sharepoint. This indicates that the "user" who performed the activity was an application. In this case, the application was granted permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. This process of giving permissions to an application is called SharePoint App-Only access. This indicates that the authentication presented to SharePoint to perform an action was made by an application, instead of a user. Therefore, the app@sharepoint user is identified in certain audit records. For more information, see :https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#the-appsharepoint-user-in-audit-records
When you are integrating Druva insync with the M365 , during the initial set up , M365 Global admin is granting certain permission which also includes SharePoint permissions. See the screenshot below:
This is the reason, whatever the action performed by Druva insync will show as app@sharepoint on M365 audit logs.
Important Note:
--------------------------------
app@sharepoint is not specific to Druva insync. It is applicable to any application which has permission on SharePoint to do certain tasks.
Please find the below use cases:
—----------------------------------------------
Performed a Insync back up on a certain SharePoint site. M 365 audit log captured that user: app@sharepoint has performed file access. See the screenshots:
Performed a Insync restore on a certain SharePoint site. M 365 audit log captured that user: app@sharepoint has performed file upload. See the screenshots:
Performed a Insync file deletion on a certain user’s OneDrive using the federated search feature. M 365 audit log captured that user: app@sharepoint has performed file recycling. See the screenshots: