Forum Discussion
Solved
Why UserId and sender ID of the email are different when operation is sensitivitylabelapplied
We are investigating an incident response by reviewing O365 audit logs and have noticed that, for some emails, the User-ID and Sender ID are different when the operation "Sensitivity Label Applied" is recorded.However, there is another specific channel for your mentioned concern where you will get some possible information for certain specific resources and platform from our related community members.
Hi Shiv_B!
The difference between the User-ID and Sender ID when the "Sensitivity Label Applied" operation is recorded could happen if the sensitivity label is applied by an automated process or by a service account rather than the person sending the email. The User-ID reflects the account that triggered the label application, while the Sender ID represents the actual sender of the email. This is expected behavior in some scenarios, especially when labeling is applied by system processes or admin actions rather than by the user directly.
Here is the official site to learn more about the sensitivity labels:
https://learn.microsoft.com/en-us/purview/sensitivity-labelsRegards!
Hi Shiv_B!
The difference between the User-ID and Sender ID when the "Sensitivity Label Applied" operation is recorded could happen if the sensitivity label is applied by an automated process or by a service account rather than the person sending the email. The User-ID reflects the account that triggered the label application, while the Sender ID represents the actual sender of the email. This is expected behavior in some scenarios, especially when labeling is applied by system processes or admin actions rather than by the user directly.
Here is the official site to learn more about the sensitivity labels:
https://learn.microsoft.com/en-us/purview/sensitivity-labelsRegards!
Hi Luchete,
Thanks for you response. However, in our scenerio that userID does not exist in the organization's enviornment (Aactive Directory).
Thanks for the clarification. If the User-ID doesn't exist in the Active Directory, it could indicate that the sensitivity label was applied by a service account or an automated process running under a different context, possibly from an external system or a service that interacts with your environment. It might be worth checking if there are any automated workflows or admin accounts that are applying labels on behalf of users. You can also look into audit logs for any related system activity that could explain this.
