Audit SharePoint Online External Sharing Using PowerShell 

Sharing resources is one of the key activities in SharePoint Online. It allows users to share files, folders, and sites with other users. If your organization has enabled external sharing, then admins need to track external file accesses and sharing events. Monitoring external sharing events will help you to prevent unauthorized access. 

 

Never Allow Your Resources Fall into Wrong Hands: 

As an admin, it is always good to track the users’ activities in Microsoft 365 environment. But it is not always possible with native office 365 reports due to its limited capability – either you need to depend on Microsoft 365 reporting tool or PowerShell. 

As said, Microsoft has not provided any direct reports to monitor external sharing events too. 

 

How to Identify Resources Shared with External Users: 

To audit files shared with external users, you can use any one of the below methods. 

Sharing auditing: You can use the ‘sharing auditing’ functionality available in the audit log search. It will list all the sharing events, including internal sharing. So, you need to identify external sharing by converting the AuditData column from a JSON object. Then, you can filter the ‘TargetUserOrGroupType’ column to ‘Guest’ to get external sharing events. 

PowerShell: You can use the ‘Search-UnifiedAuditLog’ cmdlet to retrieve activities performed in the organization. To retrieve external sharing events, you need to filter out external sharing activities such as AnonymousLinkCreated, SecureLinkCreated, AddedToSecureLink, and SharingInvitationCreated along with some more additional filters. 

Above mentioned methods require PowerShell knowledge. If you are new to PowerShell, it will be a little bit tricky.  

 

Audit Office 365 External Sharing with PowerShell: 

To make it simple, we have created a PowerShell script to audit Office 365 external sharing activities. The exported report includes both SharePoint Online and OneDrive external sharing activities. 

 

Download Script: ExternalSharingReport.ps1 

 

Script Highlights: 

  • The script uses modern authentication to connect to Exchange Online.    
  • The script can be executed with MFA enabled account too.    
  • Exports report results to CSV file.    
  • Allows you to generate an external sharing report for a custom period.    
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.   
  • The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

Audit External Sharing Report – Sample Output: 

The exported external sharing report contains the following attributes: Shared Time, Shared By, Shared With, Shared Resource Type, Shared Resource, Site URL, Sharing Type, Workload, and Audit Info. 

Audit Microsoft 365 external sharing report

 

External Sharing Report – Script Execution Steps: 

To run this script, you can choose any one of the below methods.    

Method 1: Execute script with MFA and non-MFA account      

 

Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).  

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

More Use-cases of ‘Office 365 External Sharing report’ 

With this script, you can export more granular reports by using in-built filtering options. We have listed a few significant reports.

 

OneDrive External Sharing Report: 

Like SharePoint Online, OneDrive for Business also allows users to share files and folders with external users. As earlier said, our script tracks both SharePoint Online and OneDrive for Business external sharing activities.  

If you want to get OneDrive external sharing activities, please run the script with ‘OneDrive’ switch param. 

With this report, you can identify OneDrive files and folders shared with external users. 

 

Track SharePoint Online External Sharing: 

To audit external sharing activities in SharePoint online, you can run the script with ‘SharePoint’ switch param. 

By referring to this report, you can protect your organization’s resources by changing external sharing settings. 

 

Export External Sharing Activities for a Custom Period: 

If you want to get a list of resources shared with external users for a specific time range, you can run the script withStartDate’ and ‘EndDate’ param. 

The exported report contains list of files and folders that are shared with external users from April 13, 2021 to May 14, 2021. 

 

Schedule ‘External Sharing Report’: 

Since the ‘Search-UnifiedAuditLog’ can take external file/folder sharing activities for the last 90 days, you may require old data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days. 

To run a PowerShell script from Task Scheduler, you can use the below format: 

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

Get a Monthly External Sharing Report: 

To get a monthly report on files and folder sharing, you can run the script as follows,  

The exported report has the last 30 days of external file sharing audit data. 

 

Stop Sharing with External Users: 

If you find any unusual sharing, you can stop sharing with external users  

  • by removing their permission from the shared item, or  
  • by removing them as a guest from the directory. 

 

I hope this blog will help you to audit external sharing activities. How do you manage external sharing in your organization? Share your techniques through the comment section.