What's MSWAC user Agent in Office 365 Audit logs?

Hi RahulKapoor,

The MSWAC user Agent refers to Office Online. The possible scenario is that users use Office Online services to access their files.

Regards,
Allan

Hi RahulKapoor,

Have you referred to the information above? Do you need further assistance?

Regards,
Allan

As I said I did not initiate access to the docs that are in my audit logs - Delve may be but it should not be using my account.

Hi RahulKapoor,

 

For “I did not initiate access to the docs that are in my audit logs”, do you mean you did not open these files whether from the document library or from the Office Online apps from the app launcher?

 

In addition, could you also provide us with some more detailed information about “Delve may be but it should not be using my account”?

 

Regards,

Allan

Yes obviously I didn't open any of the documents through Office Online or app launcher or any other means but they are still in the Audit logs hence the concern. I noticed on my Delve profile that some of the docs in the audit logs are shown as "Popular Documents" which others in the company are working on but I did not click on them or access them. If Delve is accessing them on my behalf it should use a system account and they shouldn't show up as accessed by my account in the Audit logs. Having so much spurious content in the audit logs defeats the purpose of auditing.

BTW I also tried to change my password and within a few seconds the Audit log was full of entries about my account accessing documents that I'm not even aware of exist. So its definitely some Microsoft process doing something unexpected in the back.

Is there an update to this question?  I have noticed the same issue.  Why is user agent MSWAC accessing files with my username that i have not opened?  

Hi 365 User,

 

The user agent in the audit log is provided by the client or browser. When a file in the SharePoint Online site or your OneDrive for Business is opened in the browser with your account, you may see the user agent: MSWAC.

 

You may edit or open a file in the browser with your Office 365 work or school account, and then get the audit logs to see the details. You may refer to the following article view the logs:

Detailed properties in the Office 365 audit log

 

Thanks,
Felix

That is helpful, but the concern is the log showing several occurrences of Accessed File (with a Microsoft IP address) and FilePreview (with my own IP address) by my userID, all with the same date and time.  I did not perform these actions.  Is there some background process or something i may have clicked that creates these events?

"Felix Tao MSFT" if you review the thread you will see that it has been clarified multiple times that I (user whose account shows in the log) did not access or open the files reported in the logs in any way. It is most likely a Delve bug where it basically determines files I may be interested in and shows them on the Delve page and they end up in the logs WITHOUT my opening them. This issue should be escalated to the Delve team, the fix to use a system account for such file list creation or trimming of Delve identified (but not accessed) files from the logs should be trivial. Delve is supposedly Satya Nadella's favorite feature which I find totally useless and it is actually hampering our use of SharePoint Security by cluttering the log with all these bogus entries - so maybe drop him a line as well ...

Hi All,

 

Thanks for your update.

 

We need your tenant information, so we can involve the related team to look into this. As this information involves PII, I will move this conversation to Private message to obtain such details.

 

Thanks,

Sky