🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
OneDrive for Business

How to Audit User File Access in OneDrive for Business

OneDrive for Business serves as users' personal cloud storage, securely storing every file and folder they create, share, or manage. Failing to implement proper access to files in OneDrive leaves your organization vulnerable to potential data breaches. Therefore, this guide will show you how to audit file access activities in your OneDrive for Business to enhance data security.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Purview Compliance Portal

Microsoft 365 Permission Required
View-only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Navigate to the Audit section in the Microsoft Purview Compliance portal.
  • Customize the start and end dates as per your requirement.
  • In the Activities – friendly names section, select Accessed file. Then, choose OneDrive in the Workloads field.
  • Hit the Search button. Once the search is completed, you can export the report on OneDrive file accessed by users.
Using Microsoft 365 Purview Compliance Portal
  • Note: By default, the audit logs are retained for 180 days. To keep logs for 1 year, users need either a Microsoft 365 E5 or an E5 Compliance and eDiscovery license with the Audit add-on. To retain the data for 10 years, both the 10-year retention add-on and an E5 license are required.

Using PowerShell Script

Microsoft 365 Permission Required
View-only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • The ‘Search-UnifiedAuditLog’ cmdlet helps you find all the file access activities in your organization. However, it needs additional filtering to focus specifically on OneDrive file access activities.
  • To ease this process, we’ve developed a PowerShell script that seamlessly exports file access activities by users in OneDrive for Business.
  • The script is designed to generate two different file access reports, one for SharePoint Online and another for OneDrive.
  • For OneDrive file access report, execute the script with the parameter -OneDriveOnly as shown below.
  • Windows PowerShell Windows PowerShell 
     ./AuditFileAccess.ps1 -OneDriveOnly
Using PowerShell Script
AuditFileAccess.ps1
  • Note: To get SharePoint Online file access report, simply replace OneDriveOnly with SharePointOnlineOnly parameter.
AdminDroid OneDrive Auditing Tool

Strengthen File Access Oversight with AdminDroid’s OneDrive for Business Monitoring!

AdminDroid’s OneDrive for Business auditing tool provides a one-stop solution for tracking OneDrive file activity by offering detailed reports on file access, file access extended, file previews, file deletions, and more. This helps you gain insights into file usage patterns, user interactions, and potential security risks to maintain better control over your OneDrive environment.

Gain Visibility into OneDrive File Interactions with Activity Trends

Discover trends in OneDrive file activity with the daily active files count report, which includes view, edit, internal and external share counts for seamless access tracking.

Analyze Users’ Active Days through OneDrive File Access

Find inactive users to reclaim licenses or reallocate resources efficiently with the help of users’ last OneDrive file access report.

Keep an Eye on Label Removed OneDrive for Business Files

Monitor sensitivity label removed OneDrive files to identify suspicious activities and proactively prevent unauthorized data sharing.

Transform File Access Governance with File Sharing Insights

Make file access monitoring effortless with users’ OneDrive file/folder sharing activities report to identify when users grant sensitive file access to external users.

Track OneDrive User Activity to Optimize Storage

Check OneDrive activity for a user to identify underutilized OneDrive accounts and adjust storage quotas to match actual needs.

Unleash Vigilance Against Unusual File Deletions in OneDrive

Utilize the AdminDroid’s default alert template for unusual volume of file deletion to get instant alerts about excessive OneDrive file deletion during a specific period.

Overall, AdminDroid’s Microsoft 365 OneDrive management tool provides advanced features to track the file access activities efficiently. Easily track file usage, external sharing, user activities, etc., to enhance data security and prevent potential data loss in your OneDrive for Business environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Set up an auto-labeling policy to automatically apply sensitivity labels to important files stored in OneDrive and protect them from unauthorized access.

Prevent the spread of infected files by blocking the upload of specific file types in OneDrive and reduce the risk of accidental downloading.

Apply a Conditional Access policy to block unmanaged devices from accessing OneDrive files and mitigate the risk of data breaches.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when auditing file access in OneDrive for Business.

Error Access Denied Due to organizational policies, you can't access this resource from this network location.

This error occurs when you try to sign in to OneDrive for Business from outside the trusted network boundary.

Fix If you are locked out of OneDrive due to location-based policy, run the diagnostic in the Microsoft 365 admin center. If the test shows you have a network-based location policy that’s locking you out of your tenant, you can disable the policy to regain access.

Error Error with the inputs provided. RequestId:c466fe83-fb3e-4a1c-85e7-e2c419263316; Search duration is too long. Please select a date range less than 6 months.

This error occurs in the audit log search of the Purview portal when the selected date and time range exceeds the 180-day limit.

Fix In the Microsoft Purview Audit (Standard), logs are retained for a maximum of 180 days, so ensure your search falls within this time range.

Error Access Denied Due to organizational policies, you can’t access this resource from this untrusted device.

This error occurs when a user tries to access OneDrive for Business content using an unmanaged device.

Fix To resolve this error, advise users to access OneDrive from devices that managed by the organization or devices authorized for access.

Error ./AuditFileAccess.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when the default PowerShell execution policy is set to Restricted, which prevents the execution of scripts.

Fix To resolve this error, use the following cmdlet to change the execution policy to Unrestricted and proceed with running the script. 
Set-ExecutionPolicy –ExecutionPolicy Unrestricted
OneDrive for Business
Frequently Asked Questions

Monitor OneDrive file access metrics to enhance Microsoft 365 data protection!

How to manage file access in OneDrive for Business?
How to find out who made changes to files in OneDrive for Business?
How to block download of shared file from OneDrive?
How to monitor who has access to a specific file in OneDrive for Business?
How to find OneDrive files accessed by external users?
How to store OneDrive files locally on a computer?

1. How to manage file access in OneDrive for Business?

Without proper access controls in OneDrive for Business, sensitive information can easily fall into the wrong hands. This compromises data security and may create uncertainty over who can access critical files. Implementing effective access management measures protects your information and ensures secure collaboration.

View and edit the file access for the OneDrive file

  • Navigate to the OneDrive for Business site and right click on the desired file.
  • Choose Manage access to view all the users and groups who have access to this file.
  • To modify access permission, click on the desired user or group name. However, the file owner’s permissions cannot be modified.
  • Select the Direct Access expander that shows user’s current permission, such as view, edit, etc. Then, click the drop-down to change the user permissions.
  • To restrict file access, select the Remove direct access option and click Apply to save the changes.

Create custom permissions in OneDrive for Business

While OneDrive for Business files inherit parent folder or site permissions by default, you can set unique item-level permissions through these steps.

  • In OneDrive, navigate to Settings»OneDrive settings»More Settings. From there, click "Return to the old Site settings page" and then go to "Site permissions".
  • Select the Permission Levels and click Add a Permission Level. Then, name your custom access level, select the desired permissions, and click Create.

Use custom permission for a file in OneDrive

Assign custom permission at the item level to users or groups based on their roles to prevent unauthorized access.

To set unique permission for a OneDrive file, follow the steps below.

  • Right-click the respective file and select Manage access. Then click the ellipses (...) and choose Advanced settings.
  • Select Stop Inheriting Permissions and then click OK to break the inheritance.
  • Choose Grant Permissions, enter the UPN, and select the appropriate permission level under Show Options.
  • Finally, click Share to grant access to the OneDrive file with custom permissions for those users.

Effortlessly monitor files with unique permissions to optimize file access management in OneDrive!

  • Use AdminDroid’s file/item sharing inheritance broken report with the Inheritance Broken Level filter set to File for quickly spotting files with custom permissions.
  • This enables you to quickly identify any deviations from standard access policies and gain better control over file access oversight.
onedrive-file-inheritence-broken-report

2. How to find out who made changes to files in OneDrive for Business?

In a collaborative workspace, multiple users often work on shared files in OneDrive for Business. While this increases productivity, it also leads to accidental or intentional changes in the data. This can cause misunderstandings and confusion among other team members. By identifying who made the changes, admins can address these issues and enhance collaboration.

The following steps will help you detect the user behind the changes in a shared OneDrive file.

  • Sign in to the Microsoft Purview portal and navigate to Solutions»Audit»Search.
  • Customize the start and end date as per your requirement.
  • In the Workload section, select OneDrive and enter the following operations in the Activities-operation names field. 
    FileCopied, FileDeleted, FileDeletedFirstStageRecycleBin, FileDeletedSecondStageRecycleBin, FileModified, FileMoved, FileVersionsAllMinorsRecycled, FileVersionsAllRecycled, FileVersionRecycled, FileVersionDeleted, FileRecycled, FileRenamed
  • Click Search to start the search.

The result will display all the file change activities along with the user who performed those operations.

all-onedrive-file-activities-audit-search

Transform your OneDrive for Business permission management with AdminDroid’s file activities report!

  • Save time by identifying file changes and responsible users with the All Activities Related to OneDrive Files report instead of native audit logs.
  • A single view of this report presents all activity details such as event time, username, file name & extension, IP address of the user, etc.
all-onedrive-file-activities-report

3. How to block download of shared file from OneDrive?

Are your users sharing sensitive company files on OneDrive without proper download restrictions? Admin must control file distribution to protect organizational data security. One essential way to maintain this control is through blocking download of critical files.

Using SharePoint Online Management Shell:

You can simply restrict users from downloading files in OneDrive for Business with a block download policy using the following steps.

  • Connect to the SharePoint Online Management Shell module using the cmdlet below. 
    Connect-SPOService –Url https://<Tenant>-admin.sharepoint.com
  • Run the following cmdlet to block other users from downloading files from OneDrive. 
    Set-SPOSite –Identity <OneDriveSiteURL> -ExcludeBlockDownloadPolicySiteOwners $true

Before executing the cmdlets, replace the <Tenant> with your domain name and <OneDriveSiteURL> with the user’s OneDrive account URL.

Note: You should have SharePoint Premium license to use the block download policy in both SharePoint Online and OneDrive sites.

Using Microsoft 365 Admin Center:

Follow the steps below to block file downloads when sharing with others.

  • Log in to the Microsoft 365 admin center.
  • Select the user from Users»Active users and navigate to OneDrive tab in their profile, then click on the Create link to files.
  • Once the link has been generated, open the link. Then, right-click on the respective file and choose Share from the options.
  • In the pop-up window, select the ⚙️ (Link settings) next to the Copy link option.
  • Select the type of sharing and then click the drop-down under the More settings.
  • Now, select Can’t download from the list, hit Apply.
  • Add your message and send invite or copy the link to share the file.

If you can’t find the Can’t download option, then first share the file with view permission. Then, follow the steps below to change the permission to Can’t download.

  • Right-click the respective file and select the Manage access. Then click the ellipses (...) and choose Advanced settings.
  • Select the users or groups you want to block download, and then click the Edit User Permissions.
  • Next, select the Restricted View under Permissions, then click OK.

Then, users can only view the files and documents, but they cannot download them.

4. How to monitor who has access to a specific file in OneDrive for Business?

As an admin, you must always prioritize the security of sensitive OneDrive files containing intellectual property or confidential business data. Monitoring who has access to these files is essential for admins to safeguard data integrity and prevent misuse.

Here’s how you can monitor who has access to a specific file in OneDrive for Business and keep track of its activities.

  • Navigate to Solution»Audit»Search in the Microsoft Purview portal.
  • Choose the desired start and end date for your audit search.
  • In the Workload section, select OneDrive. Then, enter FileAccessed in the Activities-operation names field.
  • In the File, folder, or site field, enter the name of the particular file and click Search.

Once the search is complete, you can view detailed access activities for the specific OneDrive file and identify users frequently accessing that specific file.

specific-onedrive-file-access-purview-audit

5. How to find OneDrive files accessed by external users?

When external users access OneDrive files, it creates opportunities for enhanced collaboration but poses security risks if external users' accounts are compromised. Tracking file access by external users is a crucial step for admins to mitigate these security threats effectively.

Monitor external user file access in OneDrive

Using the Audit search in the Purview portal, you can view OneDrive file access history of all users. However, exporting file access activities specifically for external users is not directly possible.

You need to manually filter out the external users' activities from the overall report. This can be tricky and time-consuming because you need to apply multiple filters.

However, you can achieve this by executing our PowerShell script, ‘AuditFileAccess.ps1’, with the -FileAccessedByExternalUsersOnly and -OneDriveOnly parameters.

Unlike Audit search, it retrieves all external users' file access activities directly and exports a CSV file with granular details.

external-user-file-access-onedrive

Gain granular insights into external users’ OneDrive file access with AdminDroid’s customizable external users file/folder access reports!

  • Simply set Workload filter to OneDrive in the external users file and folder access report to export all external users’ file access activities in OneDrive for Business.
  • This report provides a consolidated view of the file accessed location, file extension details, relative file URL, user who accessed file, and more.
external-user-onedrive-file-access-admindroid-report

6. How to store OneDrive files locally on a computer?

As an admin, you manage most OneDrive settings to balance user productivity and resource efficiency. However, when it comes to storing files locally, users also need to do some configurations. Here's what you need to know about managing and guiding users through local storage options.

Files On-Demand

By default, OneDrive's 'Files On-Demand' feature enables users to view online-only files in File Explorer without consuming local storage. These files are accessible like any other file when connected to the Internet. However, if users need offline access to files, you can guide them to adjust this setting.

Turn off 'Files On-Demand' feature

Users can keep their files stored locally by following the steps below to turn off Files On-Demand. However, this downloads all synced files, which can quickly fill up storage space if the content is large.

  • Select the blue cloud icon in the taskbar of Windows laptop/PC.
  • Click the gear icon at the top and then select the Settings.
  • In the OneDrive Settings window, hit the Advanced settings expandable section.
  • Now, click Download all files and hit Continue in the confirmation pop-up.

Use 'Always keep on this device' option

For users requiring offline access to specific files or folders, advise them to use the ‘Always keep on this device’ option. This allows them to save only the files they need on their computer, conserving storage space.

  • Navigate to the OneDrive folder.
  • Select the files and folders to save on local storage.
  • Right-click on them and then select Always keep on this device.

If users no longer need local copies, they can select Free up space to remove them from the device while retaining cloud access.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
OneDrive for Business
How to Audit User File Access in OneDrive for Business
OneDrive for Business Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo