Audit File Access in SharePoint Online Using PowerShell

SharePoint files are crucial for Microsoft 365 collaboration, encompassing documents, spreadsheets, presentations, and more. Despite facilitating teamwork, challenges like conflicts, versioning issues, and access control difficulties emerge without effective management. Furthermore, the sharing dynamics in SharePoint Online add complexity, accessible to both internal and external users. The risks even rise when critical files face unauthorized deletion or alteration. Thus, auditing file access in SharePoint Online is essential for protecting sensitive data, understanding how people use it, and spotting any suspicious activity.

To audit access to a file in SharePoint Online, you can use two methods: Microsoft 365 audit logs or PowerShell.

1. Microsoft 365 Audit Logs: Unified audit logs allow auditing file access in SharePoint Online through the “Accessed File” filter. However, these audit log searches can’t be customized or scheduled.
2. PowerShell: By employing the “Search-UnifiedAuditLog” cmdlet, you can audit file usage in SharePoint Online. Yet, it comes with limitations like uncertain range records and the need for multiple calls.

To simplify this process, we’ve crafted a PowerShell script that effortlessly audits and reports file access in SharePoint Online and OneDrive for your organization.

Download Script: AuditFileAccess.ps1

1. The script employs modern authentication for retrieving audit logs.
2. The script can be executed with multi-factor authentication (MFA) enabled accounts seamlessly.
3. The script retrieves the file access audit log for the past 180 days by default.
4. Enables the generation of a custom file access audit report for any desired period.
5. Easily locates the recently accessed files in SharePoint Online, such as files opened in the last 30 days.
6. Effortlessly exports the audit report results to a CSV file.
7. Identifies files accessed by external or guest users for enhanced security awareness.
8. Monitors all files accessed by a specific user for comprehensive tracking.
9. The script is designed to track file access within SharePoint Online and OneDrive separately.
10. Upon confirmation, the script automatically installs the EXO module if not already installed.
11. The script is scheduler-friendly, allowing credentials to be passed as parameters.
12. Supports certificate-based authentication (CBA) for an additional layer of security.

The exported SharePoint Online file access report includes the following essential attributes:

• File Accessed Time
• File Accessed By
• Accessed File
• Site URL
• File Extension
• Workload

The report will be similar to the screenshot below.

1. Download the provided PowerShell script and open it in Windows PowerShell.
2. Execute the script using one of the following methods:

Method 1: Run the script with both MFA and non-MFA accounts.

Method 2: Execute the script with explicit credentials for an unattended approach.

You can schedule the PowerShell script using Task Scheduler with the provided code. Note that this method is exclusively for non-MFA accounts. If the admin account uses multi-factor authentication, consider disabling MFA through the Conditional Access policy for the scheduled script to run successfully.

Method 3: For an unattended approach, execute the script using certificate-based authentication (scheduler-friendly). Specify the app ID, certificate thumbprint, and organization.

You have the option to use a Certificate Authority (CA) or a self-signed certificate based on your preference in this process.

NOTE: To implement this authentication method, you should register an app in Azure AD.

This PowerShell script facilitates efficient SharePoint Online management by enabling the following operations.

1. Track file access in SPO for the past 180 days
2. Audit SPO file access for a custom period
3. Find recently accessed files in SharePoint Online
4. SharePoint & OneDrive files accessed by a specific user
5. View external user file access in SharePoint Online
6. Track SharePoint Online file accesses
7. Identify OneDrive file access in Microsoft 365
8. Find SharePoint Online files accessed by a specific user
9. View OneDrive files accessed by a particular user
10. List SPO files accessed by a specific user in a custom period

Administrators commonly use the PowerShell cmdlet Search-UnifiedAuditLog to generate a 90-day report for SharePoint Online file access. With the recent extension of audit logging retention to 180 days, admins now have an extended timeframe. This allows them to retrieve and analyze audit logs, significantly enhancing their ability to identify and respond to potential security threats.

To export SharePoint Online file access history over the 180-day period, admins can use the script below.

In the realm of SharePoint Online, adherence to specific compliance requirements is necessary. Customizing the audit period in SharePoint Online becomes vital to ensuring that the organization aligns with these compliance standards effectively. Using parameters such as -StartDate and -EndDate enables you to generate a SharePoint Online file access report for a custom period.

The provided example exports SharePoint Online file usage data for the period from Sep 25, 2023, to Jan 21, 2024.

Monitoring recently accessed files in SharePoint Online acts as an early warning system for security concerns. Anomalous or unexpected access patterns can be indicative of a security threat, and swift detection is critical for mitigating associated risks.

In this example, the parameter “RecentlyAccessFiles_In_Days” is set to 30, indicating the desired timeframe for the query. Thus, the script fetches details on SharePoint files accessed in the last 30 days.

Tracking user interactions with files in SharePoint and OneDrive is significant. Consider a scenario where a user accidentally accesses a confidential file. Exporting and sorting all files accessed in SharePoint Online & OneDrive to pinpoint a specific file accessed by a user can pose a challenge.

That’s where the “AccessedBy” parameter comes in! Use the script below to easily identify SharePoint and OneDrive files handled by a specific user.

Note: As crucial as monitoring file access, auditing file downloads in SharePoint also holds equal importance. More importantly, it is advisable to implement “Sign-in frequency – Every time” session control in Conditional Access to ask for reauthentication on users accessing crucial SPO sites.

Microsoft 365 users frequently share content with external entities like partners, vendors, clients, or customers. However, it is imperative to guarantee that these external users only access files intended for them and that users share only the necessary files.

Thus, auditing external user file access in SharePoint Online is essential to prevent data leakage and unauthorized access to sensitive content. Execute the following cmdlet to audit files accessed by external users in SharePoint Online and OneDrive.

While OneDrive serves as personal storage and SharePoint as collaborative storage, it’s worth noting that these workloads are often interconnected. To precisely export SharePoint Online file accesses, use the following script with the “SharePointOnlineOnly” parameter. This helps differentiate and specifically target files within SharePoint.

Without configuring proper SharePoint Online permission levels, unauthorized users might gain access to confidential SPO files. Monitoring the SharePoint files accessed by specific users is essential for maintaining proper permissions and ensuring authorized access within SharePoint. To achieve this, you can utilize the following cmdlet to export a list of SharePoint files accessed by a specific user in Microsoft 365.

Monitoring files extends beyond SharePoint; it’s crucial for OneDrive as well. Keeping track of accessed OneDrive files helps identify shared content, manage access, and prevent inadvertent data exposure.

To address these concerns, use the script below to identify OneDrive files accessed in the past six months, along with details on the user who accessed them.

In the context of ransomware attacks, OneDrive becomes a prime target for attackers. Given the prevalence of bring-your-own-device (BYOD) practices, OneDrive files are often accessible and downloadable on numerous unmanaged devices. Therefore, it is imperative to closely monitor OneDrive files accessed by a specific user.

The above example retrieves the OneDrive files accessed by lisa@contoso.com.

If a user’s account is compromised, closely monitoring their accessed files helps understand the impact of the compromise. This proactive approach empowers admins with insights into compromised user activities, modifications, and data exfiltration attempts for swift and targeted threat mitigation.

Use the script below to track access to a file in SharePoint Online by a specific user over a custom period.

The provided example retrieves the files accessed by lisa@contoso.com within the period from Aug 27, 2023, to Jan 21, 2024.

We’ve covered auditing file access in SharePoint Online using PowerShell. But if PowerShell isn’t your thing or you’re just getting started, worry not!

Introducing AdminDroid Microsoft 365 Reporter – the easy, hassle-free solution for auditing file access in SharePoint Online!

AdminDroid enables you to effortlessly conduct file access audits in SharePoint Online. With AdminDroid, you can gain detailed insights into various file access activities, including:

• Accessed files
• Access extended files
• File deletions
• File management activities
• Restored files
• Modified files
• CheckedIn files
• CheckedOut files

And the list doesn’t stop there – AdminDroid provides even more comprehensive coverage! In addition to file access auditing, the AdminDroid SharePoint Online auditing tool makes it simple to audit various aspects of SharePoint such as site collections, permissions, groups, site sharing, DLP actions, folders, and page activities.

Furthermore, the SharePoint Online reporting tool offers granular reports on SharePoint site usage, inactive users, SharePoint lists, document libraries, and much more. These detailed reports guarantee efficient SharePoint Online management.

However, AdminDroid goes beyond SharePoint Online management; it’s your all-in-one solution for Microsoft 365 reporting and auditing! With over 1800 comprehensive reports and 30+ AI-powered dashboards, AdminDroid provides a deep dive into services like Microsoft Entra ID, Exchange Online, MS Teams, OneDrive, Power BI, Stream, and Viva Engage.

Elevate your reporting and monitoring experience with features like quick alerting, scheduling, granular access delegation, and advanced customization filters.

Don’t miss out on the opportunity to explore the sophisticated world of Microsoft 365 administration with a 15-day trial. Click the AdminDroid download button now and revolutionize your Microsoft 365 management experience!

In conclusion, leveraging PowerShell scripts to audit file access in SharePoint Online proves to be a game-changer for organizations seeking enhanced security and compliance. By automating the audit process, administrators can obtain detailed insights into user activities, enhancing the security of sensitive SharePoint Online files. Additionally, you can create SPO alerts for sensitive files or entire document libraries to track site content changes in real time, reducing data loss.

We trust that this blog has empowered you to effectively audit SharePoint file access in Microsoft 365. For queries or further assistance, feel free to contact us through the comments section below. Stay secure and audit with confidence!