March 23, 2021

Audit External User File Access in SharePoint Online Using PowerShell

by Kathy Cooper

4 min read

No Comments

The external sharing feature lets users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). So, it’s necessary to audit who accessed the file to ensure each user is authorized.

To track external user activities, Microsoft 365 admin center doesn’t have any built-in report. Hence, admins can use any one of the below methods to audit external file access.

Audit log search: Admins need to apply multiple filters in audit log search to get the desired result. However, the report can’t be customized or scheduled.

PowerShell: Search-UnifiedAuditLog cmdlet helps to search the activities performed in the organization. But, if you don’t retrieve the audit data properly, you will end up with data loss.

To ease your work, we have built a user-friendly PowerShell script to track external user file accesses.

Script Highlights:
  • The script uses modern authentication to connect to Exchange Online.
  • The script can be executed with MFA enabled account too.
  • Exports report results to CSV file.
  • Allows you to generate an external file access report for a custom period.
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
  • The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.

Microsoft 365 External File Access Report – Sample Output:

The exported SharePoint 365 external access report contains following attributes: File Accessed Time, External User Name, Accessed File, Site URL, File Extension, Workload and Detailed Audit Data.

The report looks similar to the screenshot below:

file access report

External File Access PowerShell Script – Execution Methods:

To run the script, you can choose any one of the methods below.

Method 1: Execute the script with MFA and non-MFA accounts

The exported report contains external user file access for the past 90 days.

Method 2: Execute the script by explicitly mentioning the credentials.

Note: Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.

Unlock Full Potential of External File Access PowerShell Script

  • Export Office 365 external user file access for the past 90 days
  • Audit Office 365 external user file access within a particular interval
  • Get a monthly external file access report
  • Schedule external file access report

Export External User File Access Report for the Past 90 Days:

Since Search-UnifiedAuditLog has past 90 days data, we can get a maximum of the last 90 days of user’s file accesses using our script. To export Office 365 external user file access for the past 90 days, run the script as mentioned below.

Note: If a user is assigned with Office 365 E5 or Microsoft 365 E5 or Microsoft 365 Compliance or E5 Discovery and Audit add-on license, then you can generate an audit log for more than 90 days. In that case, you can use –StartDate and –EndDate params to specify the time range.

Audit External User File Access for a Particular Interval

You can generate an external users’ file access report for a custom period by mentioning –StartDate and –EndDate params.

The exported report helps to audit who accessed the files within a custom period. You can generate an external access audit report for the last 7 days, 30 days, 90 days, or any other required period.

Schedule External User File Access Report:

As Search-UnifiedAuditLog can take audit logs for the past 90 days, you may require old audit data for analysis. In that case, scheduling will help you to automate the script execution. You can schedule the script to run a pre-defined time to keep the audit log for more than 90 days.

To create PowerShell scheduled task, you can use Windows Task Scheduler and follow the format below.

The exported report contains external users’ file access for the past 90 days.

Get a Monthly External File Access Report:

To get a monthly report for external user file access, you can run the script as follows,

The exported report contains external user file access for the past 90 days.

The exported report has the last 30 days of external users’ file access audit data.

I hope this blog is helpful to track when external users accessed the files. If you have any queries or requirements, share them with us through the comment section.

Effortlessly Audit External File Access in SharePoint Online with AdminDroid

With the growing importance of protecting sensitive data from external threats, it is crucial to have a comprehensive approach to audit external file access in SharePoint Online that goes beyond the PowerShell method. Therefore, say goodbye to native auditing and hello to detailed insights presented in visually stunning charts, real time alerts, customizable reports, and dashboards.

  • AdminDroid Microsoft 365 Reporter has got you covered with everything you need to monitor and track external file access activities with extra effortlessness! Plus, it also has separate reports for files accessed by admins and others such as files previewed, downloaded, and deleted by admins.

AdminDroid’s SharePoint reports provide in-depth insights on external user file access activities such as file accessed location, file extension details, accesses file URL, and relative file URL. You can also filter SharePoint file access count by accessed file, accessed user with daily accessed summary in the form of charts and graphs.

If you’re looking for a tool to audit your SharePoint Online environment, look no further than AdminDroid’s SharePoint Auditing tool. Regardless of the size of your business, this tool can help you manage your environment with greater efficiency. SharePoint Online management is made easy with AdminDroid and has comprehensive dashboards for widespread visibility! Moreover, the tool offers advanced features such as delegation, advanced scheduling, and advanced filtering that can help you manage your SharePoint Online environment with ease.

Therefore, if you’re looking to gain a comprehensive understanding of your SharePoint Online environment and ensure compliance with legal requirements, then give AdminDroid a try with our free 15-day premium edition. Don’t settle for limited reports, choose AdminDroid and experience the benefits of complete visibility and control over your SharePoint Online environment.

Join the thousands of satisfied customers who rely on AdminDroid for their Office 365 administration needs!

Share article