Forum Discussion
Audit for Sharing
What is the best way to search JUST for people who have shared files, links, etc.? Also, is there a job that can be run to perform this daily? We're small (100 users) so we're not talking a ton of data.
Thank you in advance
1 Reply
Hi mx129,
there is multiple options to achieve what you asked for. I would recommend that you start with looking at Audit Logs. The Audit log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services.
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-solutions-overview?view=o365-worldwide
However, under OfficeActivity logs you can find, among other things, the information about what is shared with whom “SharingType” & “UserSharedWith”.
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide#audited-activities
Properties of audit logs entries are documented on Microsoft doc site https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-detailed-properties?view=o365-worldwide- You can extract the logs manually based on what you need exactly from the properties mentioned above and then visualize it in Power BI for example as explained in this blog part 1 and part 2
Microsoft 365 Compliance audit log activities via O365 Management API - Part 1 - Microsoft Community Hub
Microsoft 365 Compliance audit log activities via O365 Management API - Part 2 - Microsoft Community Hub
- If you are looking for automating the extraction of such logs you can use PowerShell script using Search-UnifiedAuditLog cmdlet and extract the data into a CSV file
https://github.com/microsoft/Microsft-Purview-Advanced-Rich-Reports-MPARR-Collector
- Or for this small number of user you can automate using Logic Apps (or Azure Functions) to extract the logs via Office Management API.
- You can also make use of Microsoft Defender for Cloud Apps and create a file policy to monitor files being shared with e.g., external domains.
https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies
- If you are looking to control who is able to share content with whom, then Microsoft Purview DLP is your way to go to. There you can monitor, and even take actions based on specific conditions you specify.
Thank you and kind regards
- You can extract the logs manually based on what you need exactly from the properties mentioned above and then visualize it in Power BI for example as explained in this blog part 1 and part 2
