TenLens
Back to script library
Entra / Microsoft 365 · Compliance & audit

Report expiring link extended

Check modules - Exchange Online used for Search-UnifiedAuditLog. Azure AD is to check the guest account and report a display name.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline -ShowBanner:$false
Connect-AzureAD

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [int] $LookbackDays = 90,
    [string] $StartDate = (Get-Date).AddDays(-$LookbackDays); $EndDate = (Get-Date),
    [string] $EndDate = (Get-Date)
)
 
$ModulesLoaded = Get-Module | Select-Object Name
If (!($ModulesLoaded -match "ExchangeOnlineManagement")) {Write-Host "Please connect to the Exchange Online Management module and then restart the script"; break}
If (!($ModulesLoaded -match "AzureAD*")) {Write-Host "Please connect to the Azure AD module and then restart the script"; break}
# Search for the last 90 days
[array]$Records = Search-UnifiedAuditLog -Operations UserExpirationChanged, SharingInvitationCreated, SharingSet, SecureLinkCreated, SecureLinkUsed -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000
# If we find some records, process them
If (!$Records) {  Write-Host "No audit records for extending sharing links found."; break }
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
# Process the records
ForEach ($Rec in $Records) {
    $DisplayName = $Null
    $AuditData = $Rec.AuditData | ConvertFrom-Json
    Switch ($Rec.Operations) {
        "SecureLinkUsed" {
            $Target = $AuditData.SourceFileName
            $DisplayName = "N/A"
        }
        "SecureLinkCreated" {
            $Target = $AuditData.SourceFileName
            $DisplayName = "N/A"
        }
        "SharingSet" {
            $Target = $AuditData.SourceFileName
            $DisplayName = "N/A"
        }
        "SharingInvitationCreated" {
            $Target = $AuditData.SourceFileName
            If ($AuditData.TargetUserOrGroupType -eq "Guest") {
                $DisplayName = (Get-AzureADUser -ObjectId $AuditData.TargetUserOrGroupName).DisplayName }
        }
        "UserExpirationChanged" {
            If ($AuditData.TargetUserOrGroupType -eq "Guest") {
                $DisplayName = (Get-AzureADUser -ObjectId $AuditData.TargetUserOrGroupName).DisplayName }
            $Target = $AuditData.TargetUserOrGroupName
            }
    }
 
        $ReportLine = [PSCustomObject] @{
        TimeStamp   = $Rec.CreationDate
        UPN         = $Rec.UserIds
        Name        = $DisplayName
        Action      = $AuditData.Operation
        Source      = $AuditData.EventSource
        Target      = $Target
        Type        = $AuditData.TargetUserOrGroupType
        Site        = $AuditData.SiteUrl
        Correlation = $auditData.CorrelationId}
   $Report.Add($ReportLine)
} #End ForEach Records
 
$Report = $Report | Sort-Object {$_.TimeStamp -as [datetime]}, Target
$Report | Out-GridView
$Report | Export-CSV -NoTypeInformation c:\temp\SPOSharingEvents.CSV

Parameters

ParameterDefaultNotes
-LookbackDays90Number of days back to search the unified audit log.
-StartDate(Get-Date).AddDays(-90); $EndDate = (Get-Date)Start of the reporting window.
-EndDate(Get-Date)End of the reporting window.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.