Entra / Microsoft 365 · Compliance & audit

Report sharing audit events

Example of extracting details of sharing events from the audit log to see what's going on.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline -SkipLoadingCmdletHelp

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [int] $LookbackDays = 30
)
 
$Modules = Get-Module | Select-Object -ExpandProperty Name
If ("ExchangeOnlineManagement" -notin $Modules) {
    Write-Host "Loading Exchange Online Management module"
    Connect-ExchangeOnline -SkipLoadingCmdletHelp
}
 
[array]$Operations = "SharingSet", "SecureLinkUsed", "SecureLinkCreated", "CompanyLinkCreated", "CompanyLinkUsed", "AnonymousLinkCreated"
[array]$Records = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-$LookbackDays) -EndDate (Get-Date).AddDays(+1) `
   -Operations $Operations -ResultSize 2000 -Formatted -SessionCommand ReturnLargeSet
If (!($Records)) {
     Write-Host "No audit events for sharing found"
     Break
 }
$Records = $Records | Sort-Object Identity -Unique | Sort-Object { $_.CreationDate -as [datetime]} -Descending
$Organization = Get-OrganizationConfig | Select-Object -ExpandProperty DisplayName
$Report = [System.Collections.Generic.List[Object]]::new()
 
ForEach ($Rec in $Records) {
    $AuditData = ConvertFrom-Json $Rec.AuditData
    $EventData = $null; $SharingTarget = $null
    Switch ($AuditData.Operation) {
        "SecureLinkCreated" {
            $File = $AuditData.SourceFileName
            $URL = $AuditData.ObjectId
            $EventData = $AuditData.EventData
            $LinkType = "Secure link"
        }
        "SharingSet" {
            If ($Rec.UserIds -eq "app@sharepoint") {
                $File = "Teams Meeting Recording"
            } Else {
                $File = $AuditData.SourceFileName
            }
            $URL = $AuditData.ObjectId
            $EventData = $AuditData.EventData
            $LinkType = "Secure link"
            $SharingTarget = $AuditData.TargetUserOrGroupName
        }
        "SecureLinkUsed" {
            $File = $AuditData.SourceFileName
            $URL = $AuditData.ObjectId
            $SharingTarget = $AuditData.UserId
            $LinkType = "Secure link"
        }
        "CompanyLinkCreated" {
            $File = $AuditData.SourceFileName
            $URL = $AuditData.ObjectId
            $EventData = $AuditData.EventData
            $LinkType = "Company link"
            $SharingTarget = $Organization
        }
        "CompanyLinkUsed" {
            $File = $AuditData.SourceFileName
            $URL = $AuditData.ObjectId
            $SharingTarget = $AuditData.UserId
            $LinkType = "Company link"
        }
        "AnonymousLinkCreated" {
            $File = $AuditData.SourceFileName
            $URL = $AuditData.ObjectId
            $EventData = $AuditData.EventData
            $LinkType = "Anonymous link"
        }
    }
 
    $ReportLine = [PSCustomObject]@{
        CreationDate    = (Get-Date $Rec.CreationDate -format "dd-MMM-yyyy HH:mm:ss")
        Operation   = $AuditData.Operation
        User        = $AuditData.UserId
        File        = $File
        URL         = $URL
        Target      = $SharingTarget
        EventData   = $EventData
        Linktype    = $LinkType
 
     }
    $Report.Add($ReportLine)
 }
 
 $Report | Out-GridView -Title "Audit events for sharing"

Parameters

ParameterDefaultNotes

-LookbackDays30Number of days back to search the unified audit log.

Attribution

Author

Office365itpros

Source

https://github.com/12Knocksinna/Office365itpros

Report sharing audit events

Connect & set up

Run it

Parameters

Add contacts to mailboxes

Add owners to apps

Add Teams to group expiration policy