Audit External User File Access in SharePoint Online Using PowerShell
The external sharing feature lets users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). So, it’s necessary to audit who accessed the file to ensure each user is authorized.
To track external user activities, Microsoft 365 admin center doesn’t have any built-in report. Hence, admins can use any one of the below methods to audit external file access.
Audit log search: Admins need to apply multiple filters in audit log search to get the desired result. However, the report can’t be customized or scheduled.
PowerShell: Search-UnifiedAuditLog cmdlet helps to search the activities performed in the organization. But, if you don’t retrieve the audit data properly, you will end up with data loss.
To ease your work, we have built a user-friendly PowerShell script to track external user file accesses.
Download Script: ExternalUserFileAccessReport.ps1
Script Highlights:
- The script uses modern authentication to connect to Exchange Online.
- The script can be executed with MFA enabled account too.
- Exports report results to CSV file.
- Allows you to generate an external file access report for a custom period.
- Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
- The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.
Microsoft 365 External File Access Report – Sample Output:
The exported SharePoint 365 external access report contains following attributes: File Accessed Time, External User Name, Accessed File, Site URL, File Extension, Workload and Detailed Audit Data.
The report looks similar to the screenshot below:
External File Access PowerShell Script – Execution Methods:
To run the script, you can choose any one of the methods below.
Method 1: Execute the script with MFA and non-MFA accounts
1 |
./ExternalFileAccessReport.ps1 |
The exported report contains external user file access for the past 90 days.
Method 2: Execute the script by explicitly mentioning the credentials.
1 |
./ExternalFileAccessReport.ps1 -AdminName admin@contoso.com -Password XXX |
Note: Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
Unlock Full Potential of External File Access PowerShell Script
- Export Office 365 external user file access for the past 90 days
- Audit Office 365 external user file access within a particular interval
- Get a monthly external file access report
- Schedule external file access report
Export External User File Access Report for the Past 90 Days:
Since Search-UnifiedAuditLog has past 90 days data, we can get a maximum of the last 90 days of user’s file accesses using our script. To export Office 365 external user file access for the past 90 days, run the script as mentioned below.
1 |
./ExternalFileAccessReport.ps1 |
Note: If a user is assigned with Office 365 E5 or Microsoft 365 E5 or Microsoft 365 Compliance or E5 Discovery and Audit add-on license, then you can generate an audit log for more than 90 days. In that case, you can use –StartDate and –EndDate params to specify the time range.
Audit External User File Access for a Particular Interval
You can generate an external users’ file access report for a custom period by mentioning –StartDate and –EndDate params.
1 |
./ExternalFileAccessReport.ps1 -StartDate 03/16/2021 -EndDate 03/23/2021 |
The exported report helps to audit who accessed the files within a custom period. You can generate an external access audit report for the last 7 days, 30 days, 90 days, or any other required period.
Schedule External User File Access Report:
As Search-UnifiedAuditLog can take audit logs for the past 90 days, you may require old audit data for analysis. In that case, scheduling will help you to automate the script execution. You can schedule the script to run a pre-defined time to keep the audit log for more than 90 days.
To create PowerShell scheduled task, you can use Windows Task Scheduler and follow the format below.
1 |
./ExternalFileAccessReport.ps1 -AdminName admin@contoso.com -Password XXX |
The exported report contains external users’ file access for the past 90 days.
Get a Monthly External File Access Report:
To get a monthly report for external user file access, you can run the script as follows,
The exported report contains external user file access for the past 90 days.
1 |
./ExternalFileAccessReport.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) |
The exported report has the last 30 days of external users’ file access audit data.
I hope this blog is helpful to track when external users accessed the files. If you have any queries or requirements, share them with us through the comment section.