Audit External User File Access in SharePoint Online Using PowerShell 

The external sharing feature lets users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). So, it’s necessary to audit who accessed the file to ensure each user is authorized.  

To track external user activities, Microsoft 365 admin center doesn’t have any built-in report. Hence, admins can use any one of the below methods to audit external file access.  

Audit log search: Admins need to apply multiple filters in audit log search to get the desired result. However, the report can’t be customized or scheduled.  

PowerShell: Search-UnifiedAuditLog cmdlet helps to search the activities performed in the organization. But, if you don’t retrieve the audit data properly, you will end up with data loss.  

To ease your work, we have built a user-friendly PowerShell script to track external user file accesses. 

 

Download Script: ExternalUserFileAccessReport.ps1 

 

Script Highlights: 
  • The script uses modern authentication to connect to Exchange Online.   
  • The script can be executed with MFA enabled account too.   
  • Exports report results to CSV file.   
  • Allows you to generate an external file access report for a custom period.   
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.  
  • The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

Microsoft 365 External File Access Report – Sample Output: 

The exported external access report contains following attributes: File Accessed Time, External User Name, Accessed File, Site URL, File Extension, Workload and Detailed Audit Data. 

The report looks similar to the screenshot below: 

file access report

 

External File Access PowerShell Script – Execution Methods: 

To run the script, you can choose any one of the methods below.   

Method 1: Execute the script with MFA and non-MFA accounts 

The exported report contains external user file access for the past 90 days. 

 

Method 2: Execute the script by explicitly mentioning the credentials. 

Note: Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

Unlock Full Potential of External File Access PowerShell Script 

  • Export Office 365 external user file access for the past 90 days  
  • Audit Office 365 external user file access within a particular interval  
  • Get a monthly external file access report  
  • Schedule external file access report 

Export External User File Access Report for the Past 90 Days: 

Since Search-UnifiedAuditLog has past 90 days data, we can get a maximum of the last 90 days of user’s file accesses using our script. To export Office 365 external user file access for the past 90 days, run the script as mentioned below.  

Note: If a user is assigned with Office 365 E5 or Microsoft 365 E5 or Microsoft 365 Compliance or E5 Discovery and Audit add-on license, then you can generate an audit log for more than 90 days. In that case, you can use –StartDate and –EndDate params to specify the time range. 

 

Audit External User File Access for a Particular Interval 

You can generate an external users’ file access report for a custom period by mentioning –StartDate and –EndDate params.  

The exported report helps to audit who accessed the files within a custom period. You can generate an external access audit report for the last 7 days, 30 days, 90 days, or any other required period. 

 

Schedule External User File Access Report: 

As Search-UnifiedAuditLog can take audit logs for the past 90 days, you may require old audit data for analysis. In that case, scheduling will help you to automate the script execution. You can schedule the script to run pre-defined time to keep the audit log for more than 90 days. 

To create PowerShell scheduled task, you can use Windows Task Scheduler and follow the format below. 

The exported report contains external users’ file access for the past 90 days. 

 

Get a Monthly External File Access Report: 

To get a monthly report for external user file access, you can run the script as follows, 

The exported report contains external user file access for the past 90 days. 

The exported report has the last 30 days of external users’ file access audit data. 

 

I hope this blog is helpful to track when external users accessed the files. If you have any queries or requirements, share them with us through the comment section.