Users are given access to files in the organization for various purposes, such as project collaboration, documents sharing, and accessing necessary resources for their roles. Based on the permissions granted, users can perform actions on files and folders such as deletion, download, modifying, and more. While it is essential to provide file access to users, monitoring their activities on the organization’s resources is crucial. Also, admins should track external users’ access to files and their activities to identify unusual behaviors and excessive privilege grants, thereby safeguarding data.
Audit File Activities in SharePoint Online and OneDrive
Monitoring users’ activities on files and folders in SharePoint Online and OneDrive can be done using Microsoft Purview audit log search and the ‘Search-UnifiedAuditLog’ PowerShell cmdlet. These native methods retrieve all file activities, including creation, modification, deletion, file access, permission changes, and more in SharePoint Online and OneDrive.
However, tweaking the results to meet your specific needs can be challenging, as you must navigate to each event to get more detailed information about the activity. To overcome these difficulties, we have crafted a PowerShell script that efficiently addresses all your specific requirements, saving you time and effort.
Script Highlights:
- The script automatically verifies and installs the Exchange Online PowerShell module (if not installed already) upon your confirmation.
- Exports the file & folder usage report for the past 180 days into a CSV file.
- Allows to track file usage for a specific date range.
- Retrieves file activity by a specific user in the organization.
- Retrieves file activities by external or guest users.
- Allows to get file activities in SharePoint Online and OneDrive separately.
- Allows you to get weekly or monthly usage reports effortlessly.
- The script can be executed with an MFA-enabled account too.
- The script supports Certificate-based authentication (CBA).
- The script is scheduler friendly.
Download Script: AuditFileActivities.ps1
Sample Output
The script exports the SPO file usage report with the following attributes:
- Activity Time
- Activity
- File Name
- Performed By
- File Extension
- File URL
- Site URL
- Workload
- More Info
Export File Activities in SharePoint Online – Script Execution Methods
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: You can run the script with MFA and non-MFA accounts.
1 |
./AuditFileActivities.ps1 |
The above example lets you export the file activities report in SharePoint Online and OneDrive for the past 180 days into a CSV file.
Method 2: You can explicitly pass credentials (username and password) and execute the script.
1 |
./AuditFileActivities.ps1 -UserName <UPN> -Password <password> |
The above method will work only for non-MFA admin accounts. You can disable MFA for a user via CA policy.
Method 3: You can use certificate-based authentication to run the script.
To do this, you must register the app in Azure AD and the app allows you to connect to EXO with certificate.
1 |
./AuditFileActivities.ps1 -Organization <Domain> -AppId <ClientId> -CertificateThumbPrint <CertThumbPrint> |
You can use either a certificate issued by a recognized certificate authority (CA) or create a self-signed SSL certificate.
Monitor File Activities in SharePoint Online and OneDrive
Utilize the PowerShell script to audit all the file & folder activities by users in SharePoint Online and OneDrive. Therefore, you can identify who access SPO files, unwanted actions performed on sensitive files, excessive privilege grants, unusual activities, and more., to secure the data efficiently. Explore the use cases you can attain using the script below.
- Audit file activities in SharePoint Online and OneDrive
- Retrieve users’ file activities for a specific date range in Microsoft 365
- Track file activities by a specific Microsoft 365 user
- Track file activities in SharePoint Online using PowerShell
- Retrieve file and folder activities in OneDrive
- Audit file usage activity in SPO for past 30 days
- Get a weekly and monthly report on file activities in SPO
1. Audit File Activities in SharePoint Online and OneDrive
Reviewing the file activities done by users in SharePoint Online and OneDrive is crucial to avoid data misuse and secure them. Run the script below to get a list of users’ file activities in Microsoft 365.
1 |
./AuditFileActivities.ps1 |
By referring to the exported report, admins can audit file downloads, modifications, uploads, deletions, etc., in both SharePoint and OneDrive.
Note: Additionally, admins must govern external sharing in OneDrive, monitor anonymous sharing and access, and audit external sharing in SharePoint Online to identify suspicious actions in every nook and corner and safeguard data.
2. Retrieve Users’ File Activities for a Specific Date Range in Microsoft 365
If admins want to monitor recent file activities of users in their organization, i.e., for a custom period, run the script using the ‘-StartDate’ and ‘-EndDate’ parameters as shown below.
1 |
./AuditFileActivities.ps1 -StartDate 07/20/2024 -EndDate 07/30/2024 |
Remember that the date format should be mm/dd/yyyy. The above cmdlet returns the users’ file activities that happened from 20th July 2024 to 30th July 2024.
3. Track File Activities by a Specific Microsoft 365 User
If a user account is found to be compromised or any risky actions detected, monitoring their file activities is essential to safeguard your sensitive data. To identify specific users’ file activities in SPO and OneDrive, run the script with the ‘-PerformedBy’ parameter.
1 |
./AuditFileActivities.ps1 -PerformedBy annie@contoso.com |
The above cmdlet retrieves all the file activities performed by Annie for the past 180 days. Similarly, for retrieving file activity for an external or guest user, replace the username with the respective external/guest username. Thus, you can get activities like files created by external users, file deletions, modifications, downloads, etc.
4. Track File Activities in SharePoint Online Using PowerShell
OneDrive files are users’ personal files in the organization. So, if admins want to focus only on SharePoint Online file activities, they can run the script with the ‘-SharePointOnline’ parameter.
1 |
./AuditFileActivities.ps1 -SharePointOnline |
It displays a list of all the file activities performed in SharePoint Online alone. So, admins can easily audit file deletions, file moves, file downloads, etc., in SharePoint Online.
5. Retrieve File and Folder Activities in OneDrive
If any users are offboarded, admins can grant users’ OneDrive access to other users for backing up the crucial files related to any ongoing projects. Else, you can utilize Microsoft 365 backup for OneDrive accounts to retain the files. Users also share their files with others for review processes and various purposes. Admins might want to monitor file and folder activities performed on OneDrive to identify any suspicious actions. In such cases, they can run the script with the ‘-OneDrive’ parameter, as shown below.
1 |
./AuditFileActivities.ps1 -OneDrive |
The above cmdlet lists all the file and folder activities performed in OneDrive. Admins can also identify if any user downloads or deletes any sensitive files before leaving the organization.
6. Audit File Usage Activity in SPO for Past 30 Days
If admins want to retrieve users’ file activities performed in SharePoint Online for the past 30 days, they can run the script with ‘-SharePointOnline’, ‘-StartDate’, and ‘-EndDate’ parameters as below.
1 |
./AuditFileActivities.ps1 -SharePointOnline –StartDate (Get-date).date.adddays(-30) -EndDate (Get-date).date |
After running the above cmdlet, you will get a list of detailed file usage activities by SharePoint users (i.e., past 30 days).
7. Schedule a Weekly and Monthly Report on File Activities in Microsoft 365
Admins might want to verify the users’ file activities in SharePoint Online and OneDrive on a weekly or monthly basis. In such cases, run the script with ‘-StartDate’ and ‘-EndDate’ parameters.
1 |
./AuditFileActivities.ps1 –Organization <domain> -AppId <ClientId> -CertificateThumbPrint <CertThumbPrint> -StartDate (Get-date).date.adddays(-30) -EndDate (Get-date).date |
The above format retrieves file and folder activities for a month. You can schedule this script to run on the 1st of every month so that the script will retrieve file and folder activities for every month efficiently. You can automate the script using Task Scheduler or using Azure automation and every exported report will be saved in your system.
Similarly, the weekly report can be generated by modifying the StartDate as ‘(Get-date).date.adddays(-7).
Monitor File Activities in SharePoint Online and OneDrive Effectively with AdminDroid
AdminDroid Microsoft 365 auditing tool offers intensive reports on users’ file and folder activities in SharePoint Online and OneDrive. The tool contains the below categories of reports to facilitate admins with in-depth details and appealing charts.
All File & Folder Activities
- File Access & Modification Events
- File Uploads & Downloads
- File Rename & Restore Actions
- Files & Folder deletion from SharePoint
- Files & Folder deletion from First Stage & Second Stage Recycle Bin
- All File Activities by Admins
- Folder Creation & Modification Events
- Folder Rename & Restore Actions
Sharing & Access Events
- All File/Folder Sharing Activities
- Anonymous Link Creation & Access Events
- Anonymous User Activities
- Files Shared by External Users
- File/Folder Accesses by External Users
Similarly, you will get the file activities reports for OneDrive too. These well-structured, in-depth reports let you stay informed about crucial file activities and help you act accordingly. You can also get alerts or schedule the required reports based on your requirements.
Moreover, AdminDroid provides 1900+ reports, 30+ stunning dashboards, and additional interesting features that make your Microsoft 365 management effortless. Download AdminDroid today and start managing your Microsoft 365 environment like never before!
I hope this blog helps you to effectively audit users’ file activities and improve SharePoint Online security. Drop your queries in the comments section. Happy auditing!