Monitor Folder Activities in SharePoint Online Using PowerShell

SharePoint and OneDrive folders are essential for keeping organizational data structured and accessible. They facilitate smooth project collaboration and serve as key repositories for various tasks in the organization. With the appropriate permissions, users can create, edit, or delete folders to align with their needs. For admins, it’s crucial to monitor folder activities of both internal and external users in SharePoint to protect sensitive organizational data. In this blog, we will explore how to efficiently track folder activities in both OneDrive and SharePoint.

To track SPO folder activity, you can either use an audit log search or PowerShell.

You can audit folder activities in Microsoft Purview portal by following the steps mentioned below.

1. Sign in to the Microsoft Purview portal.
2. Click on the Audit section.
3. Customize the Start and End date based on requirements.
4. In the ‘Workload’ section, select SharePoint/OneDrive and under ‘Activities’ choose all the Folder activities.
5. Click on Search to audit SharePoint folder activities.

Alternatively, you can execute the Search-UnifiedAuditLog PowerShell cmdlet to audit all the folder activities in the organization.

Drawbacks:

• When using the Microsoft Purview portal, you can audit basic information like username, operation performed, and time of activity. To see advanced details, such as workload, folder URL, site URL, etc., you need to click on each activity.

• The logs retrieved using the ‘Search-UnifiedAuditLog’ cmdlet are returned in JSON format, which is not user-friendly and requires additional parsing, consuming more effort.

These issues make both methods less efficient for tracking folder activities in SharePoint, particularly for large-scale or frequent monitoring. To overcome these difficulties, we have crafted a PowerShell script that efficiently addresses all your specific requirements, saving you time and effort.

Download Script: AuditSPOFolderActivities.ps1

• Tracks the folder activities in SharePoint and OneDrive for the past 180 days.
• Allows to track folder activities for a custom date range.
• Filters folder activities of SharePoint and OneDrive separately.
• Audit folder activities for a single site in SharePoint Online.
• Monitors folder activities for list of sites in SharePoint Online.
• Helps to audit folder activities by a specific user.
• Excludes system activities by default, with an option to include them if required.
• Exports report result into CSV file.
• The script automatically verifies and installs the Exchange Online PowerShell module (if not installed already) upon your confirmation.
• The script can be executed with an MFA-enabled account too.
• The script supports Certificate-based authentication (CBA).
• The script is scheduler friendly.

The script analyzes and exports all folder activities of SharePoint and OneDrive with the following attributes:

• Activity Time
• Activity
• Folder Name
• Performed By
• Folder URL
• Site URL
• Workload
• More Info

The exported ‘SharePoint and OneDrive Folder Activities’ report looks like the screenshot below.

1. Download the script.
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account.

Running the script will export folder activities of SharePoint and OneDrive in the last 180 days.

Note: It’s also recommended for admins to monitor file activities in SharePoint Online to ensure proper oversight and SharePoint security.

Method 2: Execute the script by explicitly mentioning credentials.

The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy to make this work.

Method 3: Execute the script using certificate-based authentication.

To use certificate-based authentication, you must register app in Entra ID which help you connect Exchange Online using certificate. This method is schedular friendly.

Note: Depending on requirements, you can create a self-signed certificate.

The script provides flexible filtering options, allowing you to analyze various scenarios effectively, such as:

• Audit SharePoint and OneDrive folder activities for custom period
• Monitor SharePoint and OneDrive folder activities by a specific user
• Analyze folder activities of a single site in SharePoint Online
• Access SharePoint Online folder activity for multiple sites
• Export SharePoint Online folder activities using PowerShell
• Track folder activities in Microsoft OneDrive
• Get SPO folder activity audit report including system generated events

Monitoring folder activities in SharePoint and OneDrive over the past 180 days offers a broad overview, but sometimes it’s crucial to focus on events within a specific timeframe. Using parameters such as -StartDate and -EndDate enables you to generate a SharePoint Online folder activity report for a custom period.

The above example provides a report on the SharePoint and OneDrive folder activities during the period from Nov 20, 2024, to Nov 30, 2024. Utilizing these parameters, you can generate folder activity report for the last 7 days, 30 days, 90 days, 180 days, or any other required duration.

To monitor folder activities performed by a specific user, use the -PerformedBy parameter. This allows you to focus on the actions of a specific user across SharePoint and OneDrive.

Running this action helps to track folder activities of Rachel in both SharePoint and OneDrive.

Note: You can also monitor files and folders created by external users, helping you identify who is accessing SharePoint Online resources and prevent unauthorized actions.

By default, the script generates a report for folder activities across all SharePoint Online sites. To audit folder activities on a specific site, use the –SiteUrl parameter to narrow the focus to that site.

The above script generates a list of folder activities within a specific site named ‘Test’.

To monitor folder activities across several SharePoint sites, you can use a CSV file with the URLs of the sites you want to track. This allows you to focus on specific sites while generating a consolidated report.

Use the -ImportSitesCsv parameter to load the CSV file and obtain reports for folder activities on each site listed. For example:

The file must follow the format below:

The resulting report will provide detailed folder activity data for each site included in the CSV file, making it easy to audit activities across multiple SharePoint sites.

If admins want to focus only on SharePoint Online folder activities, they can run the script with the -SharePointOnline parameter.

This command generates a report of all folder-related operations performed in SharePoint Online, such as FolderCreated, FolderModified, FolderRenamed, FolderCopied, FolderMoved, FolderDeleted, FolderRecycled, FolderDeletedFirstStageRecycleBin, FolderDeletedSecondStageRecycleBin, and FolderRestored.

Tip: You can also set up SharePoint Online alerts to notify you when new folders are added, existing folders are modified, or folders are deleted from sites.

Monitoring folders extends beyond SharePoint; it’s crucial for OneDrive as well. Tracking OneDrive folder activities helps detect suspicious actions, such as bulk deletions, folder moves, or modifications, which can seriously affect data integrity.

To specifically monitor folder activities in OneDrive, the –OneDrive parameter in the script can be used:

This command generates a comprehensive log of all folder-related actions, such as folder creation, deletion, or modification.

By default, the script exports folder activities in SharePoint and OneDrive while excluding system-generated events. To include these events in the report, use the -IncludeSystemEvent parameter as shown below:

This generates a detailed report that includes both user and system-performed folder activities in SharePoint and OneDrive.

I hope this blog helps you to effectively audit users’ folder activities and improve SharePoint Online security. Drop your queries in the comments section.