Report and Audit File Downloads in SharePoint Online Using PowerShell

SharePoint Online is a powerful collaboration service in Microsoft 365 that facilitates seamless file sharing and management across organizations. While it provides extensive capabilities, tracking file downloads is crucial for maintaining data security and compliance. This blog highlights the methods to audit file downloads in SharePoint Online.

The methods below offer a comprehensive view of files downloaded in SharePoint Online and OneDrive.

Microsoft Purview Audit Logs: The unified audit logs in Microsoft 365 can be used to track file access. By using the “Downloaded file” filter in the audit logs search, you can find all the file downloads performed within the SharePoint or OneDrive pages. Though the resultant Microsoft 365 audit logs can be exported, they can’t be scheduled or customized based on your preferences.

PowerShell: You can use the “Search-UnifiedAuditLog” cmdlet after getting connected to the Exchange Online PowerShell to audit file downloads in SharePoint Online. Although this cmdlet offers logs for file downloads, it provides results in JSON format, which require further processing and are also time-consuming.

To overcome the UI and PowerShell complexities, we have created an All-in-one PowerShell script. It helps in easy tracking of crucial details, including the user who downloaded a file, the file type, and the timestamp of the download. Let’s get started!

Download Script: AuditFileDownloads.ps1

1. The script exports 10+ file download audit reports.
2. The script can be executed with MFA-enabled accounts too.
3. It exports audit results to CSV file format in the working directory.
4. The script retrieves file downloaded audit log for 180 days, by default.
5. Allows you to obtain audit file download reports for a custom period.
6. Helps you to find recently downloaded SPO files, such as files downloaded in the last 30 days.
7. Helps to identify files downloaded by external/guest users.
8. For comprehensive tracing, the script enables you to monitor all files downloaded by a specific user.
9. The script is designed to track SharePoint & OneDrive file downloads separately.
10. It automatically installs the EXO module (if not installed already) upon your confirmation.
11. The script is scheduler-friendly i.e., Credentials can be passed as a parameter instead of saved inside the script.
12. The script supports Certificate-based Authentication (CBA) too.

The following list provides details on file download events, showcasing attributes present in the report (CSV format).

• Downloaded Time
• Downloaded By
• Downloaded File
• Site URL
• File Extension
• Workload
• More Info

First, download the provided PowerShell script. Next, open Windows PowerShell and navigate to the directory where the script is located. After that, execute the script using one of the following methods:

Method 1: You can execute the script in the manner below for MFA and non-MFA accounts.

The above script execution exports file download audit logs for the last 180 days.

Method 2: For an unattended approach, execute the script with the explicit credentials (Scheduler-friendly).

You can schedule the PowerShell script using the task scheduler with the given code for non-MFA admin accounts. If the admin account utilizes multi-factor authentication, you can disable MFA through the Conditional Access policy for the successful execution of the scheduled script.

Method 3: For certificate-based authentication, execute the script using the following essential parameters.

To run this PowerShell script with the certificate-based credentials, register an app in Azure AD. You can use either a certificate issued by Certificate Authority (CA) or create a self-signed SSL certificate, which is preferred by many admins in internal scenarios.

This PowerShell script helps to audit file downloads in SharePoint Online and OneDrive by enabling the following operations.

1. Audit downloaded files for the past 180 days
2. Track document downloads between a custom period
3. Find recent file downloads
4. Track file downloads by a specific user
5. Find files downloaded by external users
6. Track file downloads from OneDrive alone
7. Audit file downloads in SharePoint online alone

To export SharePoint Online file download history over the past 180 days, admins can execute the PowerShell script as stated here.

Previously, admins could export the log for only up to 90 days. With the recent extension of audit logging retention to 180 days, admins now have an extended timeframe.

Exporting the audit log for downloaded files in SharePoint Online during a specified period enables admins to make informed decisions, ensuring the security and confidentiality of the data. The usage of parameters such as “StartDate” and “EndDate” enables you to generate file download reports for a custom period.

The provided example exports file download information for the period from Sep 28, 2023, to Feb 26, 2024.

Reviewing recent file downloads from SharePoint Online enables admins to take action and implement crucial security measures for timely insights. By utilizing the “RecentlyDownloadedFiles_In_Days” parameter, admins can easily identify the file downloads within the last ‘n’ number of days.

The above format will fetch details on files downloaded in SharePoint Online and OneDrive within the last 30 days.

By gaining insights into user-specific file interactions, admins can conduct thorough investigations in case of security incidents. Execute the script with the “DownloadedBy” parameter to check the file downloads by the specific user. This helps to obtain the SharePoint download history of a user.

The above-mentioned execution will export details about files downloaded by Leena from all SharePoint Online sites and OneDrive pages.

Note: As crucial as monitoring file downloads, auditing file access in SharePoint also holds equal importance.

Users often share files with external or guest users. In such cases, ensuring only the intended guests can download the files is crucial. Utilizing the “FileDownloadedByExternalUsersOnly” parameter enables administrators to easily identify the files downloaded by guests or external users.

The above format will export an audit report on files downloaded by external users in the last 180 days.

Additionally, you can audit files accessed by external users to detect and respond to suspicious activity. Furthermore, monitoring external file sharing in SPO helps prevent and block unauthorized access.

As an admin, you can specifically extract details of the file downloads performed in OneDrive. To do so, you can add the “OneDriveOnly” parameter with each execution.

The provided example will fetch only the details on OneDrive files downloaded within the past 180 days.

Similarly, you can combine the “OneDriveOnly” param with other parameters to generate more granular reports. For example,

• To identify recently downloaded OneDrive files in the last ‘n’ number of days, execute as shown below.

The above example will fetch details on OneDrive files downloaded in the last 30 days.

• To monitor the OneDrive file downloaded by a specific user, run as shown below by a specific user.

The above example retrieves OneDrive files downloaded by Leena in the last 180 days.

Similar to the above executions, you can retrieve the report to track file downloads from SharePoint only. To see who downloaded the file from SharePoint, use the “SharePointOnlineOnly” parameter.

The provided example will fetch only the details on the SharePoint files downloaded within the past 180 days.

Similarly, you can combine the “SharePointOnlineOnly” param with other parameters to generate more granular reports. For example,

• To track recently downloaded SharePoint Online files in the last ‘n’ number of days, execute as shown below.

The above example will fetch details on SharePoint Online files downloaded in the last 30 days.

• To monitor SharePoint Online files downloaded by a specific user, run as shown below.

The above example retrieves only the SharePoint files downloaded by Leena in the last 180 days.

While the above reports assist in auditing downloads from various perspectives, you can implement a block download policy for SharePoint Online and OneDrive to restrict downloads and enhance security. If you find any anonymous downloads, you can review the SharePoint Online permission levels to ensure correct usage.

Many admins find themselves yearning for additional features in SharePoint Online reporting. These might encompass enhanced user-friendly interfaces, advanced analytics, or specific customization options.

If you’re on the lookout for a comprehensive solution, worry not—AdminDroid is here to fulfill those needs. AdminDroid not only enables you to monitor file downloads in SharePoint but also provides insights into SharePoint activities and SPO file access.

Gain detailed insights into various SPO file auditing activities, such as:

• Files uploaded or downloaded from SharePoint sites
• Files shared with external users
• Files accessed by external users
• File activities performed by guests
• File activities performed by admins
• SharePoint files copied, or moved across SharePoint sites
• File deletions & restorations
• Malware-detected files
• Files shared with anonymous access

Get a new level of security insights with SharePoint Online auditing tool. Dive deep into comprehensive details, ensuring the protection of sensitive data through continuous monitoring of user permissions, file sharing, file access, and DLP actions.

But wait, there’s more! The SharePoint Online management doesn’t end here! Elevate your experience with real-time stats through SharePoint Online reports. Gain valuable insights into site usage, identify inactive users, and effortlessly track SharePoint lists and document libraries.

Why do most admins prefer AdminDroid over a vast collection of tools?

Most admins prefer the AdminDroid Microsoft 365 reporting tool for the following reasons:

• AdminDroid provides lifetime free access to 120+ Azure AD reports.
• The tool gives a 15-day trial with all premium capabilities, including reporting, scheduling, exporting, alerting, and compliance.
• AdminDroid presents customizable charts and vivid graphs for a crystal-clear understanding of report data.
• In total, the tool offers 1800+ all-inclusive reports and 30+ dashboards on M365 services like MS Teams, Entra ID, SharePoint Online, Exchange Online, OneDrive, and more.

Ready to elevate your M365 admin experience? Download AdminDroid now and streamline comprehensive reporting and management.

In conclusion, I hope that this blog helps you audit downloads in SharePoint Online with comprehensive reports. If you have any questions, feel free to contact us through the comments section. Stay tuned for more updates!