Microsoft Purview Reports

Understanding how to read and interpret Microsoft Purview audit reports

Global Admin Rights ChatGPT Basics Purview Reports

For IT, compliance, and legal teams trying to understand what Microsoft Purview reports do and don't show — especially when dealing with "Accessed file" entries.

What is Microsoft Purview?

Microsoft Purview is Microsoft's unified data governance service that helps organisations understand, manage, and govern their data across the entire data estate. One of its key features is audit logging - it records all activities that happen with your organisation's files and data.

When you run a search or view audit reports in Purview, you'll see entries like "Accessed file" that can be confusing if you don't understand what they actually mean.

Purview Report Interpretation

System Activity

Automated processes and background scans

🔄 "Accessed file" entries

User Activity

Actual human interactions with files

👤 "Downloaded file" entries

Key Takeaway

"Accessed file" in Purview reports does not mean someone opened or downloaded the file. It often indicates system-level activities like background scans, indexing, or automated processes. Understanding the difference between system access and user actions is crucial for accurate interpretation.

✅ What "Accessed file" Actually Means

When you see "Accessed file" entries in Microsoft Purview reports, it's important to understand what this activity represents:

  • System searches and indexing
    (Background processes that scan files for search functionality, malware detection, or content analysis.)
  • Preview generation
    (Automatic creation of file previews for SharePoint, Teams, or OneDrive interfaces.)
  • Compliance scanning
    (Automated checks for data classification, retention policies, or regulatory compliance.)
  • Backup and synchronisation
    (System processes that ensure data is properly backed up and synchronised across services.)
  • Security monitoring
    (Automated security scans and threat detection processes.)
Important: These are typically automated system activities, not user-initiated actions like opening or downloading files.

🔍 How to Identify System vs User Activity

Use these practical indicators to distinguish between automated system processes and actual user actions:

  • Microsoft Service IPs
    (IP addresses in ranges like 4.x.x.x, 52.x.x.x, 158.x.x.x indicate Microsoft datacenters and automated processes.)
  • Multiple datacenter access
    (Same file accessed from Toronto, Queretaro, and other locations simultaneously = system activity.)
  • System user accounts
    (User accounts like "system@" or service accounts indicate automated processes.)
  • SharePointFileOperation
    (This operation type typically indicates background indexing, scanning, or compliance processes.)
  • Same file, multiple entries
    (Multiple "Accessed file" entries for the same document on the same day = system processing.)
Key Rule: If you see the same file "accessed" from multiple Microsoft datacenters on the same day, this is automated system activity, not human users.

Real Purview Report Analysis

Let's analyse actual Purview report data to understand what "Accessed file" entries really mean.

Sample Purview Report Data:

Date IP Address Email Audit Operation Activity File Name File Path
May 10, 2025 52.108.224.17 me@work.org.uk SharePointFileOperation Accessed file FIleOne.docx Accessed from "Shared Documents/AFolderName/ANamedYear/SomeDate"
May 10, 2025 20.68.123.31 me@work.org.uk SharePointFileOperation Accessed file FIleOne.docx Accessed from "Shared Documents/AFolderName/ANamedYear/SomeDate"
May 10, 2025 52.108.189.10 me@work.org.uk SharePointFileOperation Accessed file FIleTwo.docx Accessed from "Shared Documents/AFolderName/ANamedYear/AnotherDate"
May 10, 2025 127.0.0.1 me@work.org.uk SharePointFileOperation Accessed file FIleThree.docx Accessed from "Shared Documents/AFolderName/ANamedYear/MonthDate"
May 10, 2025 20.90.191.9 me@work.org.uk SharePointFileOperation Accessed file FIleFour.docx Accessed from "Shared Documents/AFolderName/NewFolder/DifferentDate"
May 10, 2025 127.0.0.1 me@work.org.uk SharePointFileOperation Accessed file FileFive.docx Accessed from "Shared Documents/AFolderName/NamedYear/DifferentDate"
May 10, 2025 4.205.197.38 me@work.org.uk SharePointFileOperation Accessed file FileSix.docx Accessed from "Shared Documents/AFolderName/NamedYear/SomeNewDate"
May 10, 2025 52.108.42.38 me@work.org.uk SharePointFileOperation Accessed file FileSix.docx Accessed from "Shared Documents/AFolderName/NamedYear/SomeNewDate"
May 10, 2025 158.23.86.109 me@work.org.uk SharePointFileOperation Accessed file FileSix.docx Accessed from "Shared Documents/AFolderName/NamedYear/SomeNewDate"
May 10, 2025 52.108.147.27 me@work.org.uk SharePointFileOperation Accessed file FileSeven.docx Accessed from "AFolderName/Annonymous P drive"

What This Table Tells Us:

1. IP Addresses

All IPs (4.205.197.38, 52.108.42.38, 158.23.86.109, 52.108.147.27) are Microsoft service IPs from different datacenters

🏢 Microsoft services
2. SharePointFileOperation

This operation type indicates automated SharePoint processes like indexing, scanning, or compliance checks

🔄 System process
3. "Accessed file" Action

This doesn't mean someone opened the file - it means the system processed it for background operations

📊 System access
4. Same Date & Time

All entries are from May 10, 2025 - this is a Teams search report showing when the search was performed

Search timestamp
5. Multiple Files Processed

Multiple files (FileOne through FileSeven) were processed simultaneously, indicating a broad system scan or search operation

📁 Batch processing
6. Consistent User Account

All entries show the same user (me@work.org.uk) but from different IPs - this indicates the user initiated a search that triggered system processing

👤 Search initiator

Key Insight: This table shows a Teams search that was performed on May 10, 2025. The multiple "Accessed file" entries represent Microsoft's system processing the search results across different datacenters - not users actually opening the meeting minutes file.

More Real Examples from the Report

Pattern Analysis: Looking at the full report reveals clear patterns that distinguish system activity from user activity.

Key Observation: The same file appears multiple times with different Microsoft datacenter IPs, all on the same date. This is impossible for human users but normal for automated processes.

Common Patterns in Real Purview Data

1. Multiple Datacenter Access

Same file accessed from Toronto, Queretaro, and other Microsoft datacenters simultaneously

🌐 System distribution
2. Microsoft IP Ranges

All IPs are in Microsoft's ranges (4.x.x.x, 52.x.x.x, 158.x.x.x) indicating automated services

🏢 Microsoft services
3. Same User, Multiple IPs

One user account associated with multiple datacenter IPs on the same day

👤 System account

Bottom Line: When you see the same file "accessed" from multiple Microsoft datacenters on the same day, this is automated system activity, not human users opening the file.

Frequently Asked Questions

Common questions about interpreting Microsoft Purview reports and "Accessed file" entries.

Common Questions

  • Q: What does "Accessed file" actually mean?
    A: It usually means Microsoft's system processed the file for indexing, scanning, or compliance - not that someone opened it.
  • Q: How do I know if someone actually opened a file?
    A: Look for activities like "FileDownloaded," "FileModified," or user IP addresses from office/home networks, not Microsoft datacenters.
  • Q: Why do I see the same file accessed multiple times?
    A: This is normal - different Microsoft services may process the same file for search indexing, security scanning, or compliance checks.
  • Q: Can I trust these reports for compliance purposes?
    A: Yes, but you need to understand the difference between system and user activity. System access is normal and expected.

Understanding Patterns

  • Q: What if I see the same file accessed from different countries?
    A: This is normal! Microsoft's global datacenter network may process files from multiple locations for redundancy and performance. This doesn't mean users from different countries accessed the file.
  • Q: How do I know if this is normal system activity?
    A: Look for Microsoft service IPs, system accounts, and multiple datacenter access. These patterns indicate normal automated processes, not user activity.
  • Q: What if I need to prove someone accessed a file?
    A: Look for user-specific actions, user IP addresses, and realistic timing patterns. Multiple datacenter access usually indicates system activity.
  • Q: How can I tell if it's system vs user access?
    A: Look for "system@" users, Microsoft IP addresses, and automated client applications.

Key Points to Remember

System vs User: Always distinguish between automated system processes and actual user actions when interpreting audit logs.

Context Matters: Consider the IP address, user account, and client application to understand the nature of the activity.

Normal Operation: System access is a normal part of Microsoft 365 functionality and doesn't indicate unauthorised access.

GDPR and Compliance Implications

Data Processing: When Microsoft services access files, this data processing is covered by Microsoft's GDPR compliance measures and your organisation's data processing agreements.

Data Routing: Files may be processed by Microsoft servers outside the EU as part of normal service operation.

Understanding GDPR Compliance

Note: This information is for general guidance.

1. Legitimate Business Purpose

System access serves legitimate purposes like security, compliance, and service functionality

GDPR Article 6(1)(f)
2. Data Processing Agreements

Microsoft's DPA covers automated system access as part of the service

📋 Contractual basis
3. Technical Necessity

System access is technically necessary for Microsoft 365 to function properly

🔧 Service requirement

Bottom Line: Automated system access is generally covered by existing data processing agreements and serves legitimate business purposes.

Best Practices for Interpreting Purview Reports

Follow these guidelines to accurately interpret Microsoft Purview audit reports.

Glossary of Purview Terms

Definitions of key terms used in Microsoft Purview reports

Activity

The specific action that was performed, such as "FileAccessed," "FileDownloaded," or "FileModified." The type of activity helps determine if it was user-initiated or system-generated.

Audit Operation

The technical operation performed by the system, such as "SharePointFileOperation" or "ExchangeItemOperation." Audit Operations provide more detail about the specific system process.

ClientIP

The IP address from which the activity originated. Microsoft service IPs indicate automated processes, while user IPs show actual user activity.

FileAccessed

An audit entry indicating that a file was accessed by the system or a user. This does not necessarily mean the file was opened or downloaded by a person.

System Account

An automated account (often starting with "system@") that performs background processes like indexing, scanning, or compliance checks. These are not human users.