Audit Anonymous Access in SharePoint Online using PowerShell 

Office 365 allows sharing the resources (files, folders, etc.) with both inside and outside the organization. Based on the business needs and the sensitivity of the data, you can configure external sharing settings in SharePoint Online and OneDrive.

If the organization allows external sharing, admins need to monitor external sharing activities to limit an intentional or accidental exposure of files when sharing with guests. Unlike other external sharing methods, unauthenticated sharing (Anonymous links) is the easiest way to share the content. But it poses a high risk of exposure.   

What is an Anonymous Link?  

Anonymous links are anyone-links that allow users to access resources anonymously without any form of authentication. I.e., Users can open the link without signing in, and they can forward the link to others. Only people with the link can access the resource.  

Generally, all the contents in the organization are not appropriate for unauthenticated sharing. So, admins need to give special attention to anyone-links to safeguard the organization’s data. 

 

How to Track Anonymous Sharing and Access in Office 365? 

To monitor anonymous link activities such as sharing links created, modified, removed, and accessed, you can either use an audit log search or PowerShell cmdlet.  

Search the audit log in the compliance center: By applying the required filters, you can view and download the anonymous access data. But with the downloaded report, you can’t view the needed data like shared resource, workload, user IP, etc., at a glance. Those attributes are formatted as a JSON object, which needs to be parsed for further information.  

PowerShell: Search-UnifiedAuditLog’ retrieves Office 365 anonymous link activities such as AnonymousLinkCreated, AnonymousLinkUpdated, AnonymousLinkRemoved, AnonymousLinkUsed. However, it is not easy to retrieve audit logs using PowerShell. Because if you don’t fetch the audit log properly, it will end up with data loss which spoils the purpose.

By considering above mentioned challenges, we have created an All-in-one PowerShell script which helps to track anonymous activities in your Microsoft 365 environment. 

 

Download Script: AnonymousLinkActivityReport.PS1 

 

Script Highlights: 
  • Allow to generate different anonymous link reports. 
  • The script uses modern authentication to retrieve audit logs.   
  • The script can be executed with MFA enabled account too.   
  • Exports report results to CSV file.   
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.  
  • The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

Sample Output: 

The exported anonymous activity report contains Activity Time, Activity Name, Accessed By/ Shared By User, User IP, Resource Type, Shared/Accessed Resource, Edit Allowed, Site URL, Workload and More audit info.

anonymous access sharePoint Online

 

Audit Anonymous Link Activity Report- Script Execution: 

To run the script, you can choose any one of the methods below.    

Method 1: Execute the script with MFA and non-MFA accounts  

The exported report contains anonymous link creation, modification, deletion, and access activities for the past 90 days.  

  

Method 2: Execute the script by explicitly mentioning the credentials.  

Note: The above format works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

Unlock Full Potential of this PowerShell Script: 

As earlier said, the script can generate eight different anonymous activity reports based on the requirement. You can use the in-built advanced filtering options to generate the desired report. We have listed few use-cases here.

 

Track Anonymous Link Activity in Office 365: 

By default, the script audits all the anonymous link activities such as anonymous links created, modified, removed, and accessed in SharePoint Online and OneDrive for Business for the last 90 days. 

To generate the report, use the following format: 

The exported report provides answers to all your sharing-related questions like  

  • who created an anonymous link, 
  • When the link was created, 
  • who has changed an anonymous link,  
  • who viewed files using the anonymous link, etc. 

 

Audit Anonymous Sharing in SharePoint Online: 

With unauthenticated link sharing, anyone with the link can access the resource. To avoid falling the resources into the wrong hands, the admin needs to keep an eye on an anonymous link creation. To track anonymous sharing in SharePoint Online, use both the –SharePointOnline and –AnonymousSharing switch params. 

 

Track Anonymous Sharing in OneDrive: 

Like SharePoint Online, OneDrive also allows anonymous sharing. To audit anonymous sharing, you can run the script with both the –OneDrive and –AnonymousSharing switch params. 

The exported report lists all the anonymous links created in the last 90 days, along with the permission level. I.e., whether the link allows users to edit the resource or only view the document. 

 

SharePoint Online Anonymous Access Report: 

Anyone-links grant anonymous access to files and folders. So, it’s not possible to know the users’ identity, but we can track their IP addresses. To identify anonymous access, run the script with both -SharePointOnline and -AnonymousAccess params. 

Note: To find an external user who accessed the file, you can share the resource with guests using the ‘Specific people link’. 

 

Monitor Anonymous Access in OneDrive: 

To view which IP addresses have accessed a file through a OneDrive anonymous link, you can execute the script as follows:  

By referring to this report, the admin can turn off anyone-links to block unauthenticated access 

 

To track users who have created, updated, removed, and used anonymous links in SharePoint Online, execute the script as shown below. 

 

Auditing OneDrive’s anonymous links help you to identify who shared the anonymous link, what resource was shared, when the resource was accessed, etc. 

By using –OneDrive switch param, you can get the anonymous link audit report for OneDrive for Business. 

 

Get Audit Report for Custom Period: 

Instead of generating a report for the last 90 days, you can use –StartDate and –EndDate params to generate the report for the custom period. It will reduce the script execution time. 

The above report contains all the anonymous link-related activities performed from June 1, 2021, to June 15, 2021. 

Few more examples: 

  • To retrieve SharePoint Online anonymous access for a custom period: 

  • To audit anonymous sharing in OneDrive for a custom period, 

 

Get Monthly Report on Anonymous Activity: 

To get a monthly report for anonymous link activity, you can run the script as follows, 

The exported report has the last 30 days of anonymous link activity audit data. 

 

Schedule Anonymous Link Activity Report: 

Since the ‘Search-UnifiedAuditLog’ can take audit activities for the last 90 days, you may require old data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days.  

To run a PowerShell script from Task Scheduler, you can use the below format: 

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy. 

 

I hope this blog is helpful to track anonymous link activity. If you have any queries or requirements, share them with us through the comment section.