Tag Archives: Microsoft forms

Some ideas on how to troubleshoot Microsoft forms

Who is Microsoft forms form owner

It is a very common situation in Microsoft 365 when someone creates a form and the form works perfectly, but then the form stopped working and nobody knows who was (or who is) this Microsoft form owner. Below is how to detect the form owner based only on existing form link. You can find out is it a group or a user.

How to find Microsoft forms form owner

the steps are:

  1. Use form link

You can use collaborator form link that looks like:
https://forms.office.com/Pages/DesignPage.aspx?FormId=<formId>
or responder form link that looks like: https://forms.office.com/Pages/ResponsePage.aspx?id=<formId>
(or short one: https://forms.office.com/r/kDKaHDauj7)

so just follow the link (use it in your browser)

2. Open browser developers tool – just hit F12 in browser or select “open developer tool” from menu. Inspect the network traces.
You need to find a request Url that starts with
https://forms.office.com/formapi/api/…
(you can use filter as below for “formapi”).
You’d refresh your page, or complete and submit the form until this url appears under network traces like this:

Then copy request Url to notepad as text. Bingo!
In the url example below:
https://forms.office.com/formapi/api/tc05faac-c82a-5b9d-b0c5-1f64b6755421/groups/f28f8c19-52cb-435c-948c-4c5619c943b7/forms…

The “tc05faac-c82a-5b9d-b0c5-1f64b6755421” id is the form owner’s tenant id
“/groups/” indicates that this specific form is owned by group, and
the “f28f8c19-52cb-435c-948c-4c5619c943b7” is the owner group id in EntraId

In case the form is owned by user, the Url would look like
https://forms.office.com/formapi/api/tc05faac-c82a-5b9d-b0c5-1f64b6755421/users/f6351c57-e247-528e-90ab-5i3d50c235b6
where
“/users/” indicates that the form belongs to a user and
“f6351c57-e247-528e-90ab-5i3d50c235b6” is the id of the user who owns the form

This hack works also for users who already left the company (account is disabled).

Note:
If you have an SSO in your org and cannot find this call under network – try different browser or incognito mode or logging out before the call – as what you need appears at early stages – even before authentication or when you submit the form

Some other tricks:

Having a collaborator or long responder link – I can say the form is owned by a person if the form id is 80 characters length, and the form is owned by group – if the form id is 88 characters length

References

Microsoft Forms Troubleshooting

So far some findings I came up with after several Microsoft forms troubleshooting sessions… I’ll keep all the gotchas here as “how to” guide for myself. I’d be glad if this also helps you troubleshoot your Microsoft forms.

Microsoft forms links

You know, a user can create a Microsoft form. Then user can share it. There are two kind of links –

  • to respond
  • to edit/view/export results

Link to respond is kind of :
https://forms.office.com/Pages/ResponsePage.aspx?id=FHPcfQGf1UWwEnFmW7HFRMgvShgV5J1Phpi7J1M_UoVUOUI1TzNQUEdWOTAzVVdRUVYzVVg4MlhZNC4u
or short one: https://forms.office.com/r/kDKaHWauj7

Link “to collaborate” -e.g. with the link a person can edit and view results – is created under … “Create or duplicate”, and could be for anyone, for all people in org, and for specific people in org

if the link looks like
"https://forms.office.com/Pages/DesignPageV2.aspx?subpage=design&FormId=<FormId>"
then it’s for specific people in org

if the link looks the same but also contains
"&Token=e3cd16ccf8034a3e868c68747e1f9584"
then it’s for anyone with work or school account or for anyone in the organization

The one with the “edit” link can edit the form (including questions, answers options, and form visibility , view responses, delete responses, create a “summary link”, create a duplicate link, and export responses to excel (“Open in Excel” button). But cannot change collaboration options.

When user complete the form (after submit button), there is an option “Save my response” – if so – user will see this for with only one (his/her) response under forms app.

Collaborator is not seeing the form he/she has access to until follow the link.

Move the form to a group

Form owner can move the form to a group (and this is strictly recommended for all production forms). If so:

  1. people who are group members (not only owners) will see this form under forms app – under specific group
  2. form id will be changed, so the long “respond” link will be different. Though the short link will be the same. All links should continue to work: Old and New long and short respond links. Group-owned form id seemed to me be little longer – 88 characters vs 80 chars for individual-owned forms.

The trick Tomasz Szypula @toszypul shared here (I’m also citing the trick below) on how to find form owner having just a link works like a charm! Even for deleted owner`s IDs.

But let me share some more here. If the form is owned by group – the link will be similar, but with “/group/<groupId>” instead of “/user/<UserId>” .
E.g. here:
https://forms.office.com/formapi/api/7ddc7314-9f01-45d5-b012-71665bb1c544/groups/65714e55-87f4-49c3-b790-fc75d7349c8a/light/...

you can see “65714e55-87f4-49c3-b790-fc75d7349c8a” which is group Id. So you can use the same trick to figure out what group owns a form.

Deleting user who owns forms

What if the original owner of a form is no longer with a company? How can I transfer ownership of the form?

If the employee account was deleted or disabled, the global administrator or office application administrator of the organization who have a valid Forms license can transfer for ownership within 30 days of when an account was disabled/deleted. See details. Note that all forms user owned will be transferred to an admin, then an admin can transfer forms to a group so new owners can have access to answers etc.

Deleting a group that owns forms

When a form is owned by group and the group is getting deleted… tbp…

Audit log events

You can get some ideas on the form from an audit log, including

  • is the form owned by group or by user
  • to whom the form was shared with collaborator link

Below are kinds of events related to Microsoft 365 forms:

  • ListForms – Listed forms – viewed forms home page with list of forms
  • ViewForm – Viewed Form –
  • ViewRuntimeForm – Viewed response page
  • ViewResponses- Viewed responses
  • CreateResponse – Created response
  • ExportForm – Exported form – “export to excel” – file saved to the local machine (form owner=user)
  • ConnectToExcelWorkbook – Connected To Excel Workbook – “export to excel” – file saved to the teams SharePoint site under Documents (form owner = group)
  • EnableSameOrgCollaboration –

How to find Microsoft forms form owner

(credit goes to Tomasz Szypula @toszypul )


toszypul   replied to  Jason_B1025
‎Jan 03 2022 03:17 AM - edited ‎Jan 03 2022 03:18 AM 

@Jason_B1025 I was able to get the ID of the user with a bit of a hack. Here are sample steps:

-Access the form using this designer direct URL https://forms.office.com/Pages/DesignPage.aspx?origin=shell#FormId=<YourFormID>

-Inspect the network traces. You will find a request similar to this 

https://forms.office.com/formapi/api/72f988bf-86f1-41af-91ab-2d7cd011db47/users/e5351c57-d147-418e-89ab-3a3d50c235b6/light/forms('v4j5cvGGr0GRqy180BHbR1ccNeVH0Y5Bias6PVDCNbZUOUg4TkZJUEswSVQ1ODhNNkpHVVlMMldPTi4u')?$select=id,... 

-The ID in bold is the AAD ID of the user
-Use Graph Explorer - Microsoft Graph to run this request to retrieve the username and email address of the owner https://graph.microsoft.com/v1.0/users/<UserID>

My 3×5 cents to this clever trick:

  • Not only “collaborator” link helps, but also “respond to”
  • If the form is owned by the group – the link would be similar but with “…/group/group_id/…” instead of “…/user/user_id/…”
  • If you have a SSO in your org and cannot find this call under network – try different browser or incognito mode or logging out before the call – as what you need appears at early stages – even before authentication

How do I know – is it a person-owned or group-owned form

Let say you got a claim that “we were able to work with the form, and now it is gone”, and the only you have is the “collaborators” link to the form – so you can edit form, view responses etc. but nobody knows who created that form… So how to determine who owns the form – person or group and what person/group.

The form is owned by a person if

  • form id is 80 characters length
  • on “Export to Excel” button – it saves/downloads excel file to the file system
  • audit log contains ExportForm (Exported form) event – as clicking “Export to Excel” button generates ExportForm (Exported form) event
  • network trace contains “https://forms.office.com/formapi/api/<tenantId>/users/<UserId>/…”

The form is owned by a group if

  • form id is 88 characters length
  • on “Export to Excel” button – it saves excel file to the team SharePoint site and opens it in browser
  • clicking “Export to Excel” button generates ConnectToExcelWorkbook – “Connected To Excel Workbook” event in the audit log
  • network trace contains “https://forms.office.com/formapi/api/<tenantId>/groups/<GroupId>/…”

References

See also:
Form blocked due to potential phishing

Microsoft Form Blocked due to Potential Phishing

You are seeing messages “This form can’t be distributed as it is asking for personal or sensitive information. Contact your admin for assistance. Terms of use”

This form can’t be distributed as it is asking for personal or sensitive information. Contact your admin for assistance. Terms of use

or

Form can no longer be accessed. This form has been flagged for potential phishing.

“Form can no longer be accessed. This form has been flagged for potential phishing. Technical details”

Cause

The reason is: Microsoft enabled automated machine reviews to proactively detect the malicious collection of sensitive data in forms and temporary block those forms from collecting responses. More about it.

Solution

Ask your tenant global or security admin to go to the Microsoft Security Administration (Defender) Alerts:

Microsoft Defender Alert Phishing Form
Microsoft Security Administration (Defender) Alerts

If your list of alerts is too big – use filter by Policy: “Form blocked due to potential phishing attempt”.

Microsoft Purview - Compliance-Alerts-Filter-By-Policy

To unblock the form or confirm it is phishing – admin should open the alert:

Microsoft Defender Alert Phishing Review this Form

And then click “Review this form“.
“Review the form” opens the page “https://forms.office.com/Pages/AdminPhishingReviewPage.aspx?id=”
where is the form Id.

Then global/security admin can review the form and unblock it or confirm it is phishing:

m365 global/security admin can review the form and unblock it or confirm it is phishing

References