SharePoint Online

How to Audit Who Granted OneDrive Access to Others in Microsoft 365

Did you know users can share their entire OneDrive without any access restrictions? Permissions granted to unauthorized users can lead to sensitive information being exposed. That’s why it’s essential to monitor OneDrive access and track who granted it. In this guide, we’ll show you how to identify who granted OneDrive access to another user in Microsoft 365.

Using Microsoft Purview Portal

Microsoft 365 Permission Required

View-only Audit Logs Role Least Privilege

Global Admin Most Privilege

Log in to the Microsoft 365 Purview portal and navigate to the Audit section.
Customize the start and end date as per your requirement.
Now, select Added site collection admin from the Activities - friendly names dropdown and choose OneDrive from the Workloads section.
Click on Search. Once the search is completed, you can view all the added site collection admins.
Use the Export option in the results to download the added site collection admin report as a CSV file.

Using Windows PowerShell

Microsoft 365 Permission Required

View-only Audit Logs Role Least Privilege

Global Admin Most Privilege

Connect to the Exchange Online management shell using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to find who granted OneDrive access with other users in Microsoft365.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate "mm/dd/yyyy" -EndDate "mm/dd/yyyy" -Operations "SiteCollectionAdminAdded" | Where-Object {($_.AuditData | ConvertFrom-Json).Workload -eq 'OneDrive'} |
ForEach-Object {$data = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{ 
'Creation Time' =     $data.CreationTime 
'Added User'=    $data.TargetUserOrGroupName 
'URL'   = $data.ObjectId 
'Added By'  = $data.UserId 
}} | Format-Table -AutoSize

Executing the above cmdlet retrieves OneDrive access granted in Microsoft 365, showing who granted access, who received it, and the associated URL.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Office 365 portal.
Navigate to the OneDrive Site Collection Admin Added report under Audit»OneDrive» Administrative Changes»Admin Added.

AdminDroid Microsoft 365 OneDrive Reporting

Ensure secure collaboration with OneDrive access tracking and advanced activity reports!

AdminDroid’s OneDrive reporting tool simplifies tracking OneDrive access management. The reports provide insights into who granted access to files, folders, or an entire OneDrive, the permissions assigned, and how resources are shared. This ensures optimal control over your data.

Track All Your OneDrive Folder Activity with AdminDroid

Use the all activities related to OneDrive folder report to audit folder access with detailed insights and detect unauthorized changes promptly.

Verify OneDrive Access Removal with AdminDroid’s Report

Utilize OneDrive site collection admin removed report from AdminDroid to confirm that the access granted has been revoked promptly after collaboration ends.

Monitor All OneDrive and Site Permission Level Added

With the help of AdminDroid's permission levels added report, you can keep track of permissions on your OneDrive site and avoid unnecessary access that could lead to file deletions or modifications.

Automate Report Generation for Granted OneDrive Access

Use AdminDroid's scheduling feature to automate reports on OneDrive access granted to others. This enables you to receive timely updates and perform regular monitoring without manual intervention.

Get a Summary of All OneDrive File Changes Activity

Monitor all activities related to OneDrive files to ensure accountability, improve collaboration, and reduce risks of data loss or unauthorized changes.

Stay Informed About New Group Members

The members added to OneDrive group report allow you to easily track when new members joined your OneDrive access granted group. This helps you quickly revoke permissions if you spot any unauthorized access.

In conclusion, AdminDroid’s OneDrive management tool offers a comprehensive solution to track OneDrive sharing activities. It provides detailed reports on access permissions, file creation, and sharing activities, to ensure complete visibility. Additionally, it keeps you informed by generating proactive alerts, to stay ahead of potential issues and maintain control with ease.

Explore a full range of reporting options

Download Live Demo

Important Tips

Before granting OneDrive access to another user, enforce a retention policy to ensure that any unauthorized file deletions are preserved in the preservation hold library of OneDrive.

When granting temporary access to others in OneDrive, ensure you revoke their access promptly after the task is completed to maintain data security.

Instead of granting full access to your OneDrive, share only the specific file or folder needed to avoid oversharing and enhance security.

Common Errors and Resolution Steps

The following are the potential errors and troubleshooting hints while auditing who granted OneDrive access in Microsoft 365.

Error Cannot bind argument to parameter ‘site’ because it is null.

This error occurs when the value for target OneDrive site is left empty.

Fix Ensure that the entered ‘Target User’s UPN’ (User Principal Name) is correct and check if the $targetSite variable is being populated correctly.

Error Connect-SPOService : Could not connect to SharePoint Online.

This error occurs when invalid credentials are provided or if your account lacks the necessary admin permissions to connect to SharePoint Online.

Fix Ensure you are using the correct credentials with the necessary permissions, such as SharePoint Administrator or another high-privileged role.

Error The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs while executing the Search-UnifiedAuditLog cmdlet without connecting to the Exchange Online PowerShell module.

Fix Before running the ‘Search-UnifiedAuditLog' cmdlet, first connect to the Exchange Online PowerShell module.

Connect-ExchangeOnline

Error Cannot Process argument transformation on parameter EndDate Microsoft.Exchange.ExchangeSystem.ExDateTime. “String 10/12/2024” was not recognized as a valid Datetime. Cannot convert value to type.

This error occurs when the date is entered in an incorrect format while using 'Search-unifiedauditlog' cmdlet, preventing PowerShell from converting the string '10/12/2024' into a valid DateTime object.

Fix Always use a consistent and recognized date format, such as "MM/DD/YYYY", to ensure correct interpretation by PowerShell.

Error Search duration is too long. Please select a date range of less than 6 months.

This error will occur in the audit log search of the Purview portal if the selected date and time range exceed the limit.

Fix In Microsoft Purview Audit (Standard), logs can be retained for a maximum of 180 days. So, you need to give a time range within this period.

Error Remove-SPOUser : Attempted to perform an unauthorized operation.

This error occurs when your account lacks the necessary admin permissions to connect to SharePoint Online.

Fix Ensure you are using the correct credentials with the necessary permissions, such as SharePoint Administrator or another high-privileged role.

OneDrive

Frequently Asked Questions

Manage OneDrive Access in Microsoft 365 Efficiently for Secure Collaboration

How a user can grant access to OneDrive without involving an admin?

Sharing OneDrive access is helpful during the absence of the primary user, such as during vacations or emergencies. It ensures teamwork and workflows continue smoothly without admin help, as users can easily share their entire OneDrive.

Other users will get access to your OneDrive when a user is given site collection administrator rights. To do so, follow the steps below.

Log in to the OneDrive with your Microsoft 365 account credentials.
Click the Settings (⚙️) icon in the top-right corner and select OneDrive settings.
In the left pane, select the More Settings tab and click on Site Collection Administrators under the Manage Access section. Here, you can see the existing site collection administrators present in your OneDrive.
Enter the User Principal Name (UPN) of the user(s) you want to add in the Site Collection Administrators box, then click OK.
Share the link to your OneDrive with the user(s) you have granted access to.

Similarly, users can revoke other's access by excluding them from the site collection administrators.

Note: Users can remove any site collection administrator from their OneDrive, regardless of whether they were added by another user or an admin.

How can admins access another user's OneDrive in Microsoft 365?

An admin can access a user’s OneDrive without consent during situations like employee deprovisioning or emergencies to ensure important files remain accessible. Once accessed, the admin can download the files or move them to their own OneDrive. This ensures critical data is always available when needed.

Steps to access a user's OneDrive using the Microsoft 365 Admin Center

Log in to the Microsoft 365 admin center and navigate to the Users»Active Users.
Click on the user whose OneDrive you want to access and go to the OneDrive tab in the flyout pane.
Under the Get access to files section, click Create link to files and use the generated link to access the user's OneDrive.

Note: The link created will work only for the global admin who generated it. This method should be used only in rare cases and is generally not encouraged.

How admins can grant OneDrive access to bulk users in Microsoft 365?

When multiple users need access to OneDrive for cross-team collaborations or shared projects, administrators can use group-based access. They can grant access to multiple users in bulk to streamline management.

Grant OneDrive access to multiple users using the SharePoint Admin Center

Log in to the SharePoint admin center, go to the More features tab, and click Open under the User profiles category.
Under the People tab, select Manage User Profiles.
In the Find profiles text box, enter the name or User Principal Name (UPN) of the user whose OneDrive needs to be accessed by others, and click Find.
On the search results, click the appropriate user and select Manage site collection owners from the dropdown.
Add the users or group you want to grant access to in the Site Collection Administrators field and click OK.
Then, choose the Manage Personal Site option for the corresponding user, which will redirect to their OneDrive page. From there, copy the site's URL and share it with the users assigned as the site collection administrators.

Note: Add site admins only to the Site Collection Administrators field. Avoid making any changes to the Primary Site Collection Administrator field, as it may result in the respective user losing access.

bulk-onedrive-access-grant-user-addition

Grant OneDrive access to another user using PowerShell

To grant OneDrive access, first connect to the SharePoint Online Management Shell using the below cmdlet.

Connect-SPOService -Url "<AdminCenterURL>"

Next, run the script below, replacing “<Target User's UPN>” with the UPN of the user whose OneDrive needs to be shared, and "<email@example.com>" with the site collection administrators to whom you want to grant access.

$targetSite = Get-SPOsite -IncludePersonalSite $true -Filter "Owner -eq <Target User's UPN>" | Where-Object { $_.Url -like "*/personal/*"}
$userEmails = @("<email1@example.com>", "<email1@example.com>")
foreach ($userEmail in $userEmails) {Set-SPOUser -Site $targetSite.Url -LoginName $userEmail -IsSiteCollectionAdmin $true}

Similarly, to revoke admin access to a user's OneDrive, execute the code snippet below.

$targetSite = Get-SPOsite -IncludePersonalSite $true -Filter "Owner -eq <Target User's UPN>" | Where-Object { $_.Url -like "*/personal/*"}
$userEmails = @("<email1@example.com>", "<email2@example.com>")
foreach ($userEmail in $userEmails) {Remove-SPOUser -Site $targetSite.Url -LoginName $userEmail}

How to set up an alert for notifications when OneDrive access is granted to another user?

OneDrive for Business is a secure platform for storing and sharing files, used for tasks like file management, projects, and data recovery. However, granting full access can expose sensitive data, as recipients can modify, delete, or share files without oversight.

That’s why setting up alerts when OneDrive access is granted helps maintain accountability and protect data by identifying unauthorized activities.

Configure an Alert Policy for Site Collection Admin Addition

Log in to the Microsoft Defender portal and navigate to Email & Collaboration»Policies & Rules»Alert Policy.
Click New alert policy and name the policy.
From the Severity dropdown, Choose the severity level based on your requirements.
From the Category dropdown, select Threat management from the Activities field.
In the Activity is box, Select an activity Added site collection admin.
Under the How do you want the alert to be triggered?, choose Every time an activity matches the rule and Click Next.
In the Email recipients box, select the users want to get notified when the alert triggered. From Daily notification limit dropdown, set the desired notification limit. Then, click Next.
In the Review your settings tab, under Do you want to turn the policy on right away?, choose the appropriate option based on your needs. Review all your configuration, then click Submit and hit Done.

To address this, AdminDroid provides a policy template that triggers alerts when OneDrive access is granted to another user.

This template ensures that alerts are triggered exclusively for OneDrive access and eliminates unnecessary notifications related to SharePoint site access.
Additionally, AdminDroid’s threat management alert report categorizes all alerts generated by Microsoft 365, making it easier to analyse them without feeling overwhelmed.