Forum Discussion
Solved
Shared files of former employees
It seems that files that have been shared from OneDrive by former employees (whose accounts have been disabled, not deleted) are still shared and accessible by those with whom the files were shared. ...
- The problem with Chris's method is that you are restricted to the timeframe of the audit log. Which depending on license will only be up to a year in most cases. You'll want to leverage DLP content searches in this case: https://docs.microsoft.com/en-us/office365/securitycompliance/keyword-queries-and-search-conditions?redirectSourcePath=%252fen-us%252farticle%252fkeyword-queries-and-search-conditions-for-content-search-c4639c2e-7223-4302-8e0d-b6e10f1c3be3
SharedWithUsersOWSUser (internal) or the ViewableByExternalUsers (external) keywords is what you want to look into. Then you can scan that onedrive URL for these and you should get the content that is shared.
The problem with Chris's method is that you are restricted to the timeframe of the audit log. Which depending on license will only be up to a year in most cases. You'll want to leverage DLP content searches in this case: https://docs.microsoft.com/en-us/office365/securitycompliance/keyword-queries-and-search-conditions?redirectSourcePath=%252fen-us%252farticle%252fkeyword-queries-and-search-conditions-for-content-search-c4639c2e-7223-4302-8e0d-b6e10f1c3be3
SharedWithUsersOWSUser (internal) or the ViewableByExternalUsers (external) keywords is what you want to look into. Then you can scan that onedrive URL for these and you should get the content that is shared.
SharedWithUsersOWSUser (internal) or the ViewableByExternalUsers (external) keywords is what you want to look into. Then you can scan that onedrive URL for these and you should get the content that is shared.