Sharing resources is one of the key activities in SharePoint Online. It allows users to share files, folders, and sites with other users. If your organization has enabled external sharing, then admins need to track external file accesses and sharing events. Monitoring external sharing events will help you to prevent unauthorized access.
Never Allow Your Resources Fall into Wrong Hands:
As an admin, it is always good to track the users’ activities in Microsoft 365 environment. But it is not always possible with native office 365 reports due to its limited capability – either you need to depend on Microsoft 365 reporting tool or PowerShell.
As said, Microsoft has not provided any direct reports to monitor external sharing events too.
How to Identify Resources Shared with External Users:
To audit files shared with external users, you can use any one of the below methods.
Sharing auditing: You can use the ‘sharing auditing’ functionality available in the audit log search. It will list all the sharing events, including internal sharing. So, you need to identify external sharing by converting the AuditData column from a JSON object. Then, you can filter the ‘TargetUserOrGroupType’ column to ‘Guest’ to get external sharing events.
PowerShell: You can use the ‘Search-UnifiedAuditLog’ cmdlet to retrieve activities performed in the organization. To retrieve external sharing events, you need to filter out external sharing activities such as AnonymousLinkCreated, SecureLinkCreated, AddedToSecureLink, and SharingInvitationCreated along with some more additional filters.
Above mentioned methods require PowerShell knowledge. If you are new to PowerShell, it will be a little bit tricky.
Audit Office 365 External Sharing with PowerShell:
To make it simple, we have created a PowerShell script to audit Office 365 external sharing activities. The exported report includes both SharePoint Online and OneDrive external sharing activities.
Download Script: ExternalSharingReport.ps1
Script Highlights:
- The script uses modern authentication to connect to Exchange Online.
- The script can be executed with MFA enabled account too.
- Exports report results to CSV file.
- Allows you to generate an external sharing report for a custom period.
- Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
- The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.
Audit External Sharing Report – Sample Output:
The exported external sharing report contains the following attributes: Shared Time, Shared By, Shared With, Shared Resource Type, Shared Resource, Site URL, Sharing Type, Workload, and Audit Info.
External Sharing Report – Script Execution Steps:
To run this script, you can choose any one of the below methods.
Method 1: Execute script with MFA and non-MFA account
|
1 |
./ExternalSharingReport.ps1 |
Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).
|
1 |
./ExternalSharingReport.ps1 -AdminName Admin@contoso.com -Password xxxx |
If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
More Use-cases of ‘Office 365 External Sharing report’
With this script, you can export more granular reports by using in-built filtering options. We have listed a few significant reports.
- Audit external sharing in OneDrive
- Audit external sharing in SharePoint Online
- Monitor external sharing activities for custom period
- Schedule external sharing audit report
- Get monthly report on external sharing
OneDrive External Sharing Report:
Like SharePoint Online, OneDrive for Business also allows users to share files and folders with external users. As earlier said, our script tracks both SharePoint Online and OneDrive for Business external sharing activities.
If you want to get OneDrive external sharing activities, please run the script with ‘OneDrive’ switch param.
|
1 |
./ExternalSharingReport.ps1 -OneDrive |
With this report, you can identify OneDrive files and folders shared with external users.
Track SharePoint Online External Sharing:
To audit external sharing activities in SharePoint online, you can run the script with ‘SharePoint’ switch param.
|
1 |
./ExternalSharingReport.ps1 -SharePointOnline |
By referring to this report, you can protect your organization’s resources by changing external sharing settings.
Export External Sharing Activities for a Custom Period:
If you want to get a list of resources shared with external users for a specific time range, you can run the script with ‘StartDate’ and ‘EndDate’ param.
|
1 |
./ExternalSharingReport.ps1 -StartDate 4/13/21 -EndDate 5/14/21 |
The exported report contains list of files and folders that are shared with external users from April 13, 2021 to May 14, 2021.
Schedule ‘External Sharing Report’:
Since the ‘Search-UnifiedAuditLog’ can take external file/folder sharing activities for the last 90 days, you may require old data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days.
To run a PowerShell script from Task Scheduler, you can use the below format:
|
1 |
./ExternalSharingReport.ps1 -AdminName Admin@contoso.com -Password xxxx |
If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
Get a Monthly External Sharing Report:
To get a monthly report on files and folder sharing, you can run the script as follows,
|
1 |
./ExternalSharingReport.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) |
The exported report has the last 30 days of external file sharing audit data.
Stop Sharing with External Users:
If you find any unusual sharing, you can stop sharing with external users
- by removing their permission from the shared item, or
- by removing them as a guest from the directory.
Get In-depth SPO Sharing Reports with AdminDroid:
AdminDroid offers a powerful SharePoint sharing reports that provide detailed insights into how users are sharing content and accessing information within SharePoint. With AdminDroid, you can easily track sharing invitations, file sharing and accesses, company link creations and accesses, anonymous links creations and accesses, external file sharing and accesses, and more.
In addition to its detailed sharing reports, AdminDroid provides 180+ SharePoint Online reports, including site info, usage summary, permission changes, folder and page activities, external users’ activities on SharePoint, and more. These reports can help you to identify usage trends, monitor security, and ensure compliance with regulations.
Why admins prefer AdminDroid for hassle-free SharePoint Online reporting?
- Triggers alerts for critical activities, like external file sharing, sensitive file access & sharing, etc.
- Provides SharePoint usage reports in a few mouse clicks
- Schedules and sends reports to email
- Exports data in various formats, such as CSV, HTML, PDF, etc.
- Filters data to generate fine-grained reports
- Visualizes report data to charts/AI generated graphs
- Manages multiple tenants
- User friendly UI
- 100+ Azure AD reports & dashboards available in Free Edition itself.
Further to this, AdminDroid’s Office 365 reporting software provides 1800+ pre-built reports and 30+ smart dashboards to help you gain deeper insights into your Microsoft 365 environment. The tool includes reports on multiple Office 365 services, including Azure AD, Exchange Online, Teams, SharePoint Online, OneDrive, OneNote, Yammer, Stream, Power BI, and more. Furthermore, it offers reports on every aspect of your Office 365 environment, including reporting, auditing, analytics, usage statistics, security, and compliance.
I hope this blog will help you to audit SharePoint activities. How do you manage external sharing in your organization? Share your techniques through the comment section.
