🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
OneDrive

How to Export OneDrive File Activity Report in Microsoft 365

OneDrive for Business is a cloud-based service that allows users to store, share, and collaborate on personal or work-related files and folders. However, when activities such as file uploads, deletions, and sharing go unnoticed, organizations may face risks such as data leaks, unauthorized access, or compliance setbacks. This guide explains how to audit OneDrive file activities to build a more secure cloud environment.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

List All OneDrive File Activities Using Microsoft Purview Portal

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • Navigate to the Audit page in the Microsoft Purview portal.
  • Set the Date and time range as per your requirements.
  • Next, set the Record Types to SharePointFileOperation and the Workloads to OneDrive.
  • Click Search and wait for the search to complete.
  • Once the search is complete, click on the result to view all file and folder activities that occurred in OneDrive during the selected date range.
  • Use the Export option to download the report in CSV format.
List All OneDrive File Activities Using Microsoft Purview Portal

Note: In the Microsoft Purview portal, you cannot filter specifically for OneDrive file activities only.

Get All OneDrive File Activities Using PowerShell

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • While the Microsoft Purview portal displays both file and folder activities, PowerShell lets you filter and view only file-level actions in Microsoft OneDrive for more focused auditing.
  • To do so, first, connect to the Exchange Online PowerShell module.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the following cmdlet, replacing <YYYY-MM-DD> with the appropriate start and end dates to retrieve a report of all OneDrive file operations.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "<YYYY-MM-DD>" -EndDate "<YYYY-MM-DD>" -RecordType SharePointFileOperation -ResultSize 5000 |
ForEach-Object {
	$data = $_.AuditData | ConvertFrom-Json
	if ($data.Workload -eq "OneDrive" -and $data.ItemType -eq "File") {
	  [PSCustomObject]@{
		CreationTime = $data.CreationTime
		UserId       = $data.UserId
		FileName     = [System.IO.Path]::GetFileName($data.ObjectId)
		Operation    = $data.Operation
		ObjectId     = $data.ObjectId
	  }
	}
} | Format-Table -AutoSize
  • The execution displays all OneDrive file activities with details such as file name, activity time, user ID, operation type, and object ID.
Get All OneDrive File Activities Using PowerShell

Export All OneDrive File Activities Report Using PowerShell Script

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • The above ‘Search-UnifiedAuditLog’ cmdlet helps identify all OneDrive file activities across your organization. However, it lacks detailed information and requires complex filtering to retrieve them.
  • To overcome this, we have developed a custom PowerShell script that seamlessly exports user file activities in OneDrive for Business with additional details.
  • The script is designed to generate file activity reports for both SharePoint Online and OneDrive.
  • To generate a OneDrive file operations report, download and run the script using the -OneDrive parameter as shown below.
  • Windows PowerShell Windows PowerShell 
     ./AuditFileActivities.ps1 -OneDrive -StartDate "<YYYY-MM-DD>" -EndDate "<YYYY-MM-DD>"
  • The exported CSV file includes detailed OneDrive file activity information, such as activity time, activity type, file name, user who performed the action, file extension, file URL, site URL, and more.
Export All OneDrive File Activities Report Using PowerShell Script
AuditFileActivities.ps1
AdminDroid OneDrive Auditing Tool

Gain Better Control with Deeper Visibility into OneDrive File Activities!

AdminDroid’s OneDrive auditing tool offers a comprehensive solution for tracking file activities, enriched with visual insights and advanced filtering options. This empowers you to gain deep visibility into usage patterns, user behavior, and potential security risks for enhanced data protection management.

Review OneDrive Retention Policies

Stay updated on OneDrive retention policy changes to ensure that important user files remain revocable after accidental or premature deletions.

Audit OneDrive Folder Activities to Keep Files Safe

Audit folder activities in OneDrive to identify patterns such as folder access, unusual sharing behaviors, and risks like the mass deletion of nested files triggered by folder-level actions.

Inspect DLP Deployment in OneDrive

Check all DLP rule matches in OneDrive files, with details such as the operation name, file name, and policy to ensure the protection of sensitive files.

Examine OneDrive Access Restriction Policy Updates

Stay up to date on OneDrive access restriction changes to quickly identify misconfigurations, understand modified settings, and control access to organizational files.

Analyze OneDrive Anonymous Link Activity

Review all OneDrive events related to anonymous links to track their creation, access, updates, etc., so you can prevent unauthorized file exposure and enforce sharing policies.

Assess Daily Active File Counts in OneDrive

Leverage the daily active OneDrive file count report to gain date-wise insights into active files, overall content utilization, and usage patterns across your organization.

In essence, AdminDroid’s OneDrive management tool offers comprehensive insights into all file activities including file sharing, deletion, modification, etc., across your OneDrive environment. The tool enables effective governance and management to help mitigate the risk of data within your OneDrive for Business ecosystem.

Explore a full range of reporting options
Download Live Demo

Important Tips

Use information barriers in M365 to restrict OneDrive file sharing between user segments based on attributes such as department, location, or group membership.

Set up a Microsoft 365 backup policy for OneDrive to protect selected user data and ensure recovery in case of accidental deletion, corruption, or ransomware attacks.

Enable Safe Attachments in Microsoft 365 to scan files, block malicious content, and analyze suspicious files, thereby establishing a more secure OneDrive environment.

Common Errors and Resolution Steps

Here are some common errors and troubleshooting tips when auditing file activities in OneDrive for Business.

Error The term 'Search-UnifiedAuditLog' is not recognized as a name of a cmdlet, function, script file, or executable program.

This error occurs when the Exchange Online PowerShell module is not installed or imported before establishing a connection.

Fix Install and import the module using the following PowerShell cmdlets, then proceed to connect to Exchange Online. 
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

Error Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "24-06-2025" to type "System.DateTime". Error: "String '24-06-2025' was not recognized as a valid DateTime".

This error occurs when executing the PowerShell script using a date format that is either unsupported or does not match your system’s regional settings.

Fix Change the date format in the cmdlet to match your system’s regional settings or use a universally accepted format like 'YYYY-MM-DD'.

Error ./AuditFileActivities.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when Windows PowerShell blocks the execution of the script due to security restrictions.

Fix To resolve this error, temporarily set the execution policy to bypass the restriction using the following cmdlet. 
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Error Microsoft.Office.Compliance.Audit``.DataServiceException: Tenant <tenantID> does not exist.

This error typically occurs when you’re using the Office 365 Management Activity API because unified auditing is not enabled in your Microsoft 365 tenant.

Fix Enable audit logging in your Microsoft 365 tenant to resolve the error. 
# Check if unified audit logging is enabled
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
# Enable unified audit logging if it’s disabled
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Error Purview audit search returns no results via the portal or the Search-UnifiedAuditLog cmdlet.

This issue occurs when there is no matching audit data within the specified date range or when audit logging is not enabled for the organization.

Fix Ensure the selected date range contains audit data. Also, verify that the unified audit logging is enabled for your organization.

1. What are the best practices for file sharing in OneDrive for advanced security?

OneDrive makes it easy to share files and collaborate, both inside and outside your organization. However, this convenience brings risks such as data leaks, compliance violations, or security breaches.

Disabling sharing entirely might seem like a safe option, but it can undermine OneDrive’s core purpose of enabling seamless collaboration. As both a user and an admin, you should follow security best practices to control sharing without compromising productivity. Here are the key practices:

Limit sharing settings in OneDrive

  • Share with only required permissions: Share files with view or edit permissions strictly based on the recipient’s needs.
  • Avoid broad access links: Avoid using "Anyone" links and prefer "Specific people" or "organization" links unless necessary to maintain tighter control.
  • Limit external sharing access: Restrict external sharing in OneDrive to approved domains only, and limit sharing behaviour to specific groups to ensure stricter management of shared content.

Restrict OneDrive file access with additional controls

  • Require passwords for shared links: Protect sharing links with passwords to prevent unauthorized access.
  • Set link expiration dates: Add an expiry date to shared OneDrive links so they stop working after a defined time.
  • Implement DLP policies: Apply DLP policies to prevent sharing of OneDrive files that contain sensitive or regulated data.

Govern access and monitor file sharing in OneDrive

  • Enable OneDrive file activity notifications: Turn on OneDrive file activity notifications to alert users about file activity, quickly spot unusual access, and improve data security.
  • Review OneDrive activity reports: Assess vital OneDrive activity reports to track file sharing, access activities, and storage usage trends across the organization.
  • Monitor site collection admins: Regularly review admin roles for each OneDrive site to prevent privilege misuse, which can lead to unauthorized access.

2. How to disable external sharing in OneDrive for Business?

As an admin, are you confident that sensitive documents aren’t being shared with unauthorized users? One effective way to ensure this is by limiting or disabling external sharing, which reduces external risks and gives you greater control over your organization's data.

Warning: If you re-enable external sharing later, external users may regain access to files they previously had access to. To avoid this, disable external sharing on each important file first, before re-enabling it at the organization, site, or group level.

Disable external sharing for the entire organization

  • In the SharePoint admin center, navigate to Policies»Sharing.
  • Under the External sharing section, set the OneDrive slider to ‘Only people in your organization’.
  • Once it’s disabled at the organization level, all external sharing links stop working, and external users lose access to previously shared content within about an hour.
disable-external-sharing-organization

Pro Tip: Utilize the Limit external sharing by domain option found under More external sharing settings to restrict sharing with specific domains. Use the Add domains option to configure allow or block lists as needed.

Disable external sharing for a specific user’s OneDrive

  • Sign in to the Microsoft 365 admin center, go to Users»Active Users and select the user you want to restrict.
  • In the flyout pane, navigate to the OneDrive tab, locate the Sharing section and click Manage external sharing.
  • Then, uncheck the box ‘Let people outside your organization access your site’ and click Save.
disable-external-sharing-user

Limit external sharing to specific security groups

  • Navigate to Policies»Sharing»External sharing in the SPO admin center.
  • Click More external sharing settings, then check 'Allow only users in specific security groups to share externally' check box.
  • Select  Manage security groups, then use the Add a security group box to search and select the groups allowed to share externally.
  • And finally, click the Save option.
limit-external-sharing-security-groups

Note: You can only select up to 12 security groups to allow external sharing in SharePoint and OneDrive.

3. How to view OneDrive file sharing reports in Microsoft 365?

Ever wondered who's sharing your organization's OneDrive files and whether it's being done securely? With OneDrive sharing reports, you can instantly identify risky sharing behavior and take action to protect your data.

Run sharing report on OneDrive for Business

  • In OneDrive, navigate to Settings»OneDrive settings»More settings, then click Run sharing report and choose a destination to save the report.
  • Wait for the report to generate, then go to the selected destination to access it.
  • The report shows how sharing is used across your organization and provides detailed information on shared files, folders, guests, and their permissions.
run-sharing-report-onedrive-for-business

Note: This method helps you retrieve the sharing report for individual sites. However, to get all other sharing reports, you need to navigate through each user’s site, and you must have access to them.

Get a report on file sharing links in OneDrive for entire organization

  • Establish a connection to Microsoft Graph PowerShell using a certificate.
  • Then, run the following cmdlet to export the sharing report for all OneDrive user sites. 
    $OneDriveFileSharingReport = @()
$sites = Get-MgSite -All | Where-Object { $_.SiteCollection.Hostname -like "*-my.sharepoint.com" }
foreach ($site in $sites) {
	$drive = Get-MgSiteDrive -SiteId $site.Id -ErrorAction SilentlyContinue | 
	Where-Object { $_.Name -eq "OneDrive" }
	if ($drive) {
		$stack = New-Object System.Collections.Generic.Queue[string]; $stack.Enqueue("root")
		while ($stack.Count -gt 0) {
			$items = Get-MgDriveItemChild -DriveId $drive.Id -DriveItemId $stack.Dequeue() -All -ErrorAction SilentlyContinue
			foreach ($item in $items) {
				if ($item.Folder) { $stack.Enqueue($item.Id)}
				Get-MgDriveItemPermission -DriveId $drive.Id -DriveItemId $item.Id | 
				Where-Object { $_.Link.Scope } | ForEach-Object {
				 $report += [PSCustomObject]@{
					UserSite   = $site.Name; FileName   = $item.Name
					LinkType   = $_.Link.Type; LinkScope  = $_.Link.Scope
					Url        = $item.WebUrl; SharedLink = $_.Link.WebUrl
					ExpiryDate = $_.ExpirationDateTime
				 }}}}}}
$OneDriveFileSharingReport | 
Export-Csv -Path "<FilePath>/<FileName>.csv" -NoTypeInformation
get-report-onedrive-file-sharing-organization

Tired of exporting traditional CSV reports? Switch to AdminDroid for real-time sharing insights!

  • The files and all sharing links report, provides a detailed view of file sharing activity across all user OneDrive sites, with advanced visuals and customization options.
  • It offers detailed insights into user or group specific unique permissions, filenames, site URLs, link web URLs, sharing link types, permission levels, parent paths, and more.
files-all-sharing-links-admindroid

4. How to detect and overcome OneDrive files affected by malware?

The most effective way to detect and combat malware in OneDrive files is by combining automated alerts with manual file inspections. This approach enables timely detection and thorough resolution of potential threats.

Set up an alert for malware detected files using Microsoft Defender

  • In the Microsoft Defender portal, go to Email & collaboration»Policies & rules»Alert policy.
  • Click New Alert Policy, enter a name, and select the desired severity level using the Severity drop-down and Set Category to Threat management and click Next.
  • In the Activity is box, select an activity Detected malware in file.
  • Under 'How do you want the alert to be triggered?', choose Every time an activity matches the rule, then click Next.
  • In the Email recipients box, select the users who should receive alert notifications. From the Daily notification limit dropdown, set the desired notification limit. Then, click Next.
  • In the Review your settings tab, under Do you want to turn the policy on right away?, choose the appropriate option. Review all your configurations, click Submit, then click Done.
set-alert-malware-detected-files-microsoft-defender
review-alert-malware-detected-files-microsoft-defender

Note: The Microsoft Defender portal lacks the ability to configure a dedicated alert policy exclusively for OneDrive.

To tackle this, AdminDroid provides an easy way to trigger alerts to Teams or Outlook when malware is detected, especially in OneDrive.

  • The malware-detected file list report in OneDrive helps quickly identify infected files, along with details such as detection time, detected file, malware name, source relative path, site URL, and more.
  • Click the bell icon in the report to set up alert policies based on your needs. This helps you quickly assess the impact of potential threats and respond promptly.
alert-malware-detected-file-onedrive-admindroid

Recover malware-infected files in OneDrive

  • If an existing file is affected, OneDrive users can recover it by reviewing the version history and restoring a previous version through each file’s version history option.
  • If a newly uploaded file is detected as malware, it must be manually deleted.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
OneDrive
How to Export OneDrive File Activity Report in Microsoft 365
OneDrive Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo