Audit SharePoint Online External Sharing Using PowerShell

Sharing resources is one of the key activities in SharePoint Online. It allows users to share files, folders, and sites with other users. If your organization has enabled external sharing, then admins need to track external file accesses and sharing events. Monitoring external sharing events will help you to prevent unauthorized access.

As an admin, it is always good to track the users’ activities in Microsoft 365 environment. However, native Microsoft 365 reports often fall short due to their limited capabilities. To address this, you may need to use a user-friendly Microsoft 365 reporting tool or PowerShell for more comprehensive insights.

Moreover, Microsoft does not provide direct reports for monitoring external sharing events, adding another layer of complexity to tracking external sharing activities.

To audit files shared with external users, you can use any one of the below methods.

Audit Log Search: You can use the ‘audit log search’ available in the Purview portal. It will list all the sharing events, including internal sharing. And, there is no filtering option to track external sharing alone.

PowerShell: You can use the ‘Search-UnifiedAuditLog’ cmdlet to retrieve activities performed in the organization. To retrieve external sharing events, you need to filter out external sharing activities such as AnonymousLinkCreated, SecureLinkCreated, AddedToSecureLink, and SharingInvitationCreated along with some more additional filters.

To make it simple, we have created a PowerShell script to audit external sharing activities. The exported report includes both SharePoint Online and OneDrive external sharing activities.

Download Script: ExternalSharingReport.ps1

Script Highlights:

• The script generates audit report for the last 180 days, by default.
• Allows you to generate an external sharing report for a custom period.
• Tracks external sharing in SharePoint Online separately.
• Tracks external sharing in OneDrive separately.
• Exports report results to CSV file.
• Automatically installs the EXO PowerShell module (if not installed already) upon your confirmation.
• The script can be executed with MFA enabled account too.
• Supports Certificate-based Authentication (CBA) too.
• The script is scheduler-friendly.

The exported external sharing report contains the following attributes: Shared Time, Shared By, Shared With, Shared Resource Type, Shared Resource, Site URL, Sharing Type, Workload, and Audit Info.

To run this script, you can choose any one of the below methods.

Method 1: Execute script with MFA and non-MFA account

This method will export all the external file/folder sharing activities to a CSV file.

Method 2: Execute script by explicitly mentioning credential (scheduler friendly).

If the admin account has MFA, then you need to disable MFA using CA policy to make it work.

Method 3: Execute the script using Certificate-based Authentication (scheduler-friendly)

Note: To use CBA, you must Register the app in Entra. Depending on your requirements, you can either create a self-signed certificate or use a CA certificate.

With this script, you can export more granular reports by using in-built filtering options. We have listed a few significant reports.

• Audit external sharing in OneDrive
• Audit external sharing in SharePoint Online
• Monitor external sharing activities for custom period
• Schedule external sharing audit report
• Get monthly report on external sharing

Like SharePoint Online, Microsoft also allows users to share OneDrive files/folders with external users. As earlier said, our script tracks both SharePoint Online and OneDrive for Business external sharing activities.

If you want to get OneDrive external sharing activities, please run the script with ‘OneDrive’ switch param.

With this report, you can identify OneDrive files and folders shared with external users.

To audit external sharing activities in SharePoint online, you can run the script with ‘SharePoint’ switch param.

By referring to this report, you can protect your organization’s resources by changing external sharing settings. In addition, you can monitor anonymous link creations and identify expired anyone links to keep your data secure.

If you want to get a list of resources shared with external users for a specific time range, you can run the script with ‘StartDate’ and ‘EndDate’ param.

The exported report contains list of files and folders that are shared with external users from April 13, 2024 to May 14, 2024.

Since the ‘Search-UnifiedAuditLog’ can retrieve external file/folder sharing activities for the last 180 days, you may require old data for analysis. In that case, scheduling will help you to keep the audit log for more than 180 days.

You can use both Method 2 and 3 to schedule the script in Azure Automation or Task Scheduler.

To get a monthly report on files and folder sharing, you can run the script as follows,

The exported report has the last 30 days of external file sharing audit data.

If you find any unusual sharing or unwanted file access, you can stop sharing

• by removing their permission from the shared item, or
• by removing them as a guest from the directory.

If you feel that completely disabling external sharing in Microsoft 365 may affect productivity, you can consider blocking settings for external users and continue sharing. It’s also recommended to track files and folders created by external users to enhance security.

AdminDroid offers a powerful SharePoint sharing reports that provide detailed insights into how users are sharing content and accessing information within SharePoint. With AdminDroid, you can easily track sharing invitations, file sharing and accesses, company link creations and accesses, anonymous links creations and accesses, external file sharing and accesses, and more.

In addition to its detailed sharing reports, AdminDroid provides 180+ SharePoint Online reports, including site info, usage summary, permission changes, folder and page activities, external users’ activities on SharePoint, and more. These reports can help you to identify usage trends, monitor security, and ensure compliance with regulations.

Further to this, AdminDroid’s Office 365 reporting software provides 1800+ pre-built reports and 30+ smart dashboards to help you gain deeper insights into your Microsoft 365 environment. The tool includes reports on multiple Office 365 services, including Azure AD, Exchange Online, Teams, SharePoint Online, OneDrive, OneNote, Yammer, Stream, Power BI, and more. Furthermore, it offers reports on every aspect of your Office 365 environment, including reporting, auditing, analytics, usage statistics, security, and compliance.

I hope this blog will help you to audit SharePoint activities. How do you manage external sharing in your organization? Share your techniques through the comment section.