Filter, Refine, and Report File Sharing Events from the Audit Log

A recent article about auditing file sharing activities in Teams generated some questions. The accompanying script searches for FileUploaded events, which have nothing to do with sharing. SharePoint Online captures FileUploaded events when users create new files in SharePoint sites.

In any case, after reading the article, it makes a case to keep an eye on files uploaded to Teams channels because it’s possible that someone might share information that results in a data leak. It’s a tenuous proposal that only makes sense in a weird sort of way. I am not saying that no one has never uploaded a file to a Teams channel that they shouldn’t have. Some mistakes will happen given that people create billions of files in SharePoint Online daily. But the sheer volume of FileUploaded events created in the unified audit log means that a simple report detailing these events is never going to be valuable. Filtering and analysis are required to extract value.

Most file activity logged by SharePoint Online is innocuous. To find value in the audit log, administrators need to know the data they want to find. As an example, it seems like it would be good to know who shares files from SharePoint Online, both through Teams and the SharePoint browser interface, and who they share the files with (internal and external).

Microsoft documents how to use audit data to track sharing activities. There’s lots of good information in that article to help you understand how SharePoint Online generates the content of the audit events generated to track sharing activities.

Finding File Sharing Events in the Audit Log

When I begin to figure out what audit data might be valuable for investigative purposes, I usually use several accounts to perform the activities I’m interested in (in this case, sharing documents), wait about 30 minutes, and then go through the events that turn up in the audit log. Searching the audit log with a command like this returns SharePoint sharing events. Make sure that the start and end dates are limited to the period when the actions of interest occur:

[array]$Records = Search-UnifiedAuditLog -StartDate '2-Apr-2025 19:00' -EndDate (Get-Date) -Formatted -SessionCommand ReturnLargeSet -ResultSize 5000 -RecordType SharepointSharingOperation

Analyzing the audit data revealed that SharingSet events happen to set up a sharing link. UserExpirationChanged events are also found if the sharing link policy sets expiration dates for sharing links. If you cast the audit net wider and look for other events, you’ll also find Send events logged when SharePoint Online sends notification messages to inform people that someone has shared a file with them.

Filtering File Sharing Events

The audit log is a rich source of information that can be overwhelming because of the amount of logged data. When searching for answers, it’s important to focus. In this instance, I extracted only the SharingSet events and then filtered the returned set to remove sharing events that I wasn’t interested in. These events included:

• Sharing for SharePoint embedded applications such as Loop and Outlook Newsletters.
• Sharing performed by the background app@sharepoint app. For instance, when SharePoint Online shares the recording of a Teams meeting (stored in the OneDrive of the meeting organizer) with meeting participants.
• Sharing set operations to adjust SharePoint lists. When a user shares a document, SharePoint Online adjusts the group that controls access to that item within the site, which results in audit events being logged for groups like “Limited access system group for list.” A Microsoft article covers permission levels and explains what these groups mean.

Essentially, the only sharing events I am interested in are those involving member and guest Entra ID accounts (i.e., humans).

The lesson here is that retrieving a set of events from the audit log seldom delivers useful results. It’s usually the first stage in a process to remove unwanted events to focus on the valuable information.

Parsing and Reporting Sharing Audit Events

The next step is to parse the information contained in the remaining audit events to answer the questions who shared what with whom and what level of access did they grant? Most of this information is hidden in plain sight in the AuditData property of audit events. The data must be extracted, cleaned up, and enhanced.

For example, if your organization uses sensitivity labels to protect files (and you should), the audit events note the GUID of the label applied to the shared file and the GUID of the label applied to the host site (container management label). Resolving the GUIDs to label names makes this information more accessible. Knowing that a shared file has a sensitivity that will block unauthorized access is always a nice feeling.

The result is a report of file sharing events (Figure 1) that answers the question of who shared files from SharePoint Online with whom and what access was granted.

In addition, because the script extracts the email addresses of sharees, you can analyze the volume of sharing to external domains:

$AuditReport | Group-Object TargetDomain -NoElement | Sort-Object Count -Descending | Format-Table Name, Count

Name                        Count
----                        -----
microsoft.com                  11
o365maestro.onmicrosoft.com     4
contoso.com                     2
proton.me                       1

Report File Sharing Events to Meet Your Requirements

Like anything published on the internet, the script (available from GitHub) might or might not satisfy your requirements. But it’s PowerShell, so you can change the code to meet your needs. I used the Graph AuditLog Query API to retrieve audit data. The same data is available by running the Search-UnifiedAuditLog cmdlet.

The takeaway is that real value is seldom extracted from audit logs without some additional processing to refine, filter, and interpret the information. Articles that merely extract and report audit data don’t add much value because they don’t tell the full story and reveal the actionable data that administrators need.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.