![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 77%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint | Development
The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 9%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
Hi @Alex monteiro
Based on the information you described, I understand that you are trying to build a report to determine whether your users are accessing their files primarily through the Microsoft Teams client or directly via the underlying SharePoint sites. While you have successfully generated a Microsoft Purview Audit log for file activities, the results include a significant amount of data generated by automated backend services (like Copilot, Loop, and Search), and you are looking for a way to isolate genuine user interactions and find alternative reporting methods.
This behavior can sometimes occur under certain conditions related to how the Microsoft 365 architecture logs file interactions. In the Purview Audit log, an "Accessed File" operation is not strictly limited to a manual, human user action. The service also securely records automated system tasks such as search index crawlers scanning documents, Copilot reading content to generate indexing, Loop components syncing data, or the system generating visual file previews. Because these automated services interact with the files, their activities are logged under the SharePointFileOperation record type exactly like a human user's access, which results in the dense log entries you are seeing.
To filter this data down strictly to actual user interactions and distinguish between Teams and SharePoint access, the most effective approach is to process the logs after exporting them. Let's walk through the steps to categorize this data:
Export the Audit Log to CSV: Generate the audit log with your current Purview parameters but export the complete results into a CSV file. This allows you to utilize Excel, Power Query, or Power BI for advanced data filtering. Within your exported CSV, locate the AuditData column (you may need to parse the JSON format to extract specific properties) and look for the UserAgent string. You can categorize the access method by filtering this field:
- If the
UserAgentcontainsTeams/, the access was initiated from the Microsoft Teams client. - If the
UserAgentcontains standard browser strings (such as Mozilla, Chrome, Safari, or Edge), the access was likely performed via the SharePoint web interface.
You can also filter the ObjectId or SiteUrl columns to understand the exact entry point. Files accessed directly through the Teams channel file tab typically follow the path structure: /sites/<TeamName>/Shared Documents/<ChannelName>/. Conversely, access through specific SharePoint web interface elements or administrative views might show paths containing /layouts/15/....
In addition, you can also try looking into the alternative methods below to see how they work:
Note: This information is provided as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.
I hope these insights help you successfully filter your exported CSV data to isolate those specific user interactions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.