Audit Anonymous Access in SharePoint Online using PowerShell

Office 365 allows sharing the resources (files, folders, etc.) with both inside and outside the organization. Based on the business needs and the sensitivity of the data, you can configure external sharing settings in SharePoint Online and OneDrive.

If the organization allows external sharing, admins need to monitor external sharing activities to limit an intentional or accidental exposure of files. Therefore, it is necessary to have robust security settings in place and secure guest sharing in Microsoft 365. Unlike other external sharing methods, unauthenticated sharing (Anonymous links) is the easiest way to share the content. But it poses a high risk of exposure.

Anonymous links are anyone-links that allow users to access resources anonymously without any form of authentication. I.e., Users can open the link without signing in, and they can forward the link to others. Only people with the link can access the resource.

Generally, all the contents in the organization are not appropriate for unauthenticated sharing. So, admins need to consider blocking some essential settings for external users before sharing them.

To monitor anonymous link activities such as sharing links created, modified, removed, and accessed, you can either use an audit log search or PowerShell cmdlet.

Search the audit log in the compliance center: By applying the required filters, you can view and download the anonymous access data. But with the downloaded report, you can’t view the needed data like shared resource, workload, user IP, etc., at a glance. Those attributes are formatted as a JSON object, which needs to be parsed for further information.

PowerShell: ‘Search-UnifiedAuditLog’ retrieves Office 365 anonymous link activities such as AnonymousLinkCreated, AnonymousLinkUpdated, AnonymousLinkRemoved, AnonymousLinkUsed. However, it is not easy to retrieve audit logs using PowerShell. Because if you don’t fetch the audit log properly, it will end up with data loss which spoils the purpose.

By considering above mentioned challenges, we have created an All-in-one PowerShell script which helps to track anonymous activities in your Microsoft 365 environment.

Download Script: AnonymousLinkActivityReport.PS1

Script Highlights:

• Allow to generate 8 different anonymous link reports.
• The script uses modern authentication to retrieve audit logs.
• The script can be executed with MFA enabled account too.
• Exports report results to CSV file.
• Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
• The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.

Sample Output:

The exported anonymous activity report contains Activity Time, Activity Name, Accessed By/ Shared By User, User IP, Resource Type, Shared/Accessed Resource, Edit Allowed, Site URL, Workload and More audit info.

To run the script, you can choose any one of the methods below.

Method 1: Execute the script with MFA and non-MFA accounts

The exported report contains anonymous link creation, modification, deletion, and access activities for the past 90 days.

Method 2: Execute the script by explicitly mentioning the credentials.

Note: The above format works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.

As earlier said, the script can generate eight different anonymous activity reports based on the requirement. You can use the in-built advanced filtering options to generate the desired report. We have listed few use-cases here.

• Monitor all the anonymous link activity in Office 365
• Audit anonymous sharing in SharePoint Online
• Track anonymous sharing in OneDrive for Business
• SharePoint Online anonymous access report
• Monitor anonymous access in OneDrive
• Audit anonymous link activities in SharePoint
• Track anonymous link activities in OneDrive
• Get audit report for custom period
• Get monthly report on anonymous activity
• Schedule anonymous link activity report

By default, the script audits all the anonymous link activities such as anonymous links created, modified, removed, and accessed in SharePoint Online and OneDrive for Business for the last 90 days.

To generate the report, use the following format:

The exported report provides answers to all your sharing-related questions like

• who created an anonymous link,
• When the link was created,
• who has changed an anonymous link,
• who viewed files using the anonymous link, etc.

With unauthenticated link sharing, anyone with the link can access the resource. To avoid falling the resources into the wrong hands, the admin needs to keep an eye on an anonymous link creation. To track anonymous sharing in SharePoint Online, use both the –SharePointOnline and –AnonymousSharing switch params.

Like SharePoint Online, OneDrive also allows anonymous sharing. To audit anonymous sharing, you can run the script with both the –OneDrive and –AnonymousSharing switch params.

The exported report lists all the anonymous links created in the last 90 days, along with the permission level. I.e., whether the link allows users to edit the resource or only view the document.

Anyone-links grant anonymous access to files and folders. So, it’s not possible to know the users’ identity, but we can track their IP addresses. To identify anonymous access, run the script with both -SharePointOnline and -AnonymousAccess params.

Note: To find an external user who accessed the file, you can share the resource with guests using the ‘Specific people link’.

To view which IP addresses have accessed a file through a OneDrive anonymous link, you can execute the script as follows:

By referring to this report, the admin can turn off anyone-links to block unauthenticated access

To track users who have created, updated, removed, and used anonymous links in SharePoint Online, execute the script as shown below.

Auditing OneDrive’s anonymous links help you to identify who shared the anonymous link, what resource was shared, when the resource was accessed, etc.

By using –OneDrive switch param, you can get the anonymous link audit report for OneDrive for Business.

Instead of generating a report for the last 90 days, you can use –StartDate and –EndDate params to generate the report for the custom period. It will reduce the script execution time.

The above report contains all the anonymous link-related activities performed from June 1, 2021, to June 15, 2021.

Few more examples:

• To retrieve SharePoint Online anonymous access for a custom period:

• To audit anonymous sharing in OneDrive for a custom period,

To get a monthly report for anonymous link activity, you can run the script as follows,

The exported report has the last 30 days of anonymous link activity audit data.

Since the ‘Search-UnifiedAuditLog’ can take audit activities for the last 90 days, you may require old data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days.

To run a PowerShell script from Task Scheduler, you can use the below format:

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy.

I hope this blog is helpful to track anonymous link activity. If you have any queries or requirements, share them with us through the comment section.

SharePoint Online audit logs and PowerShell scripts can provide high-level information about anonymous link activities, but they may not offer detailed information on specific actions taken by individual users. Also, audit logs may not capture all anonymous link activities in SharePoint Online, leaving gaps in the audit trail. Similarly, extracting and analyzing anonymous link activities using PowerShell scripts can be a time-consuming manual process, especially if you need to perform regular audits or track activities across multiple sites.

To overcome all the above downsides, AdminDroid offers a solution to manage anonymous links effectively. With the help of AdminDroid’s SharePoint Online anonymous links report, administrators can monitor the creation, deletion, and modification of anonymous links. In the report, you’ll find comprehensive information on each link, including target item URL, file type, and permission details, among other useful data points.

On the other hand, native reporting provides only basic information, such as the number of links created within the last 30 days and the primary admin who created the link. But this tool enables admins to gain deeper insights and maintain better control over anonymous links in SharePoint Online.

Apart from these, the AdminDroid SharePoint Online auditing tool provide detailed insights on SPO activities such as group membership auditing, external site sharing, site collection memberships, and other access-related activities. These insights help users periodically monitor suspicious activities and take necessary actions. AdminDroid’s SharePoint Online management tool also offers 180+ reports on site collections, inactive SPO sites, lists, libraries, and SPO site usage in the organization that helps admins to manage the SPO environment more effectively.

Looking for an all-in-one tool to manage your Office 365 environment? Look no further than AdminDroid! With over 1800 reports and 30+ insightful dashboards, this easy-to-use interface provides reports on Exchange Online, SharePoint Online, Microsoft Teams, and OneDrive for Business etc. With a 15-day free trial, there’s no reason not to give AdminDroid a try and see the difference for yourself!

Download AdminDroid and start optimizing your Office 365 experience!