How to audit OneDrive for Business activities

Your download is in progress and it will be complete in just a few seconds! If you face any issues, download manually here

Thank you for registering with ManageEngine.

We will send the download link to the registered email ID shortly.

Manage and Secure Microsoft 365 with M365 Security Plus

  •  
  •  
  •  
  • By clicking 'Download 30-day free trial' you agree to processing of personal data according to the Privacy Policy.
RELATED PRODUCTS

Microsoft 365's OneDrive for Business is widely used to store and retrieve files and folders. Since the documents stored can be easily accessed, modified, or deleted by any user in your organization, you must keep track of all the actions performed in your organization’s OneDrive for Business account along with the person responsible for every action.

Native Microsoft 365 auditing options such as PowerShell scripts and the Microsoft 365 Security & Compliance Center are either challenging to use or do not directly provide specific OneDrive for Business activity logs. These audit logs can be searched through and generated on a per-user basis only. M365 Security Plus simplifies the process of fetching OneDrive for Business audit logs by offering exclusive audit reports for multiple users under various domains. These audit logs can be stored for an indefinite period.

To view OneDrive for Business audit reports in M365 Security Plus:

  1. Go to the Audit tab under the Auditing & Monitoring section.
  2. Navigate to OneDrive for Business > OneDrive for Business Sharing Activities or OneDrive for Business Sync Activities or OneDrive for Business File Folder Activities
  3. Enter the Period for report generation.
  4. Choose the required Domains from the drop-down.

The OneDrive Sharing Activities audit profile with details such as the list of users who were granted access, who granted access to them, and when the access was shared

You can export the reports generated as PDF, HTML, XLSX, or CSV format. You can also use the Schedule Profiles option to schedule the reports to be automatically generated and mailed to the stakeholders in your organization.

Creating audit profiles that suit your need

Instead of filtering through the collective audit logs of OneDrive for Business for a specific set of data, you can create audit profiles in M365 Security Plus that save the filter criteria and generate the data periodically, all without any intervention after setting it up with just a few clicks! Here are two use cases for which creating specific audit profiles can help save considerable time and effort.

Use Case 1: Detect unauthorized access of private documents!

Consider a folder containing all confidential information in your organization. You can now keep a close watch on that particular folder by creating an audit profile to monitor factors such as who accessed the folder, when it was accessed, the client IP used to access the folder, the country from which it is accessed, and so on. Follow the steps given below to create a new audit profile for this purpose.

  1. Click the Settings tab and navigate to Configuration → Audit Configuration → Audit Profiles.
  2. Click the Add Profile tab in the top right corner.
  3. Enter a suitable Profile Name and Description.
  4. In the Microsoft 365 services drop-down, choose OneDrive for Business.
  5. Under Category, select OneDrive File and Folder Activities.
  6. In the Actions drop-down, choose Accessed file.
  7. Navigate to Advanced Configuration → Filter Settings → Filter by column.
  8. You can choose and add various filters as required. For example, if you want to check the file access operations performed by users from other countries, refer to the image below and apply the country filter as given.
  9. Click on Add to create a new audit profile for monitoring.

    The Audit Profile Configuration page in M365 Security Plus with the configuration

Use Case 2: Learn about anonymous link shares in your organization

You can also find out about the anonymous sharing activities performed in your organization by following the steps given below.

  1. Click the Settings tab and navigate to Configuration → Audit Configuration → Audit Profiles.
  2. Click the Add Profile tab in the top right corner.
  3. Enter a suitable Profile Name and Description.
  4. In the Microsoft 365 services drop-down, choose OneDrive for Business.
  5. Under Category, select OneDrive Sharing Activities.
  6. In the Actions drop-down, choose created, updated, used, and deleted anonymous links.
  7. Navigate to Advanced Configuration → Filter Settings → Filter by column.
  8. You can choose and add various filters as required. For example, if you want to check the IP address of the client machine from which the anonymous links are shared, refer to the image below and apply the clientIP filter as given.
  9. Click Add to create a new audit profile for monitoring anonymous links.

    The Audit Profile Configuration page in M365 Security Plus with the configuration of an audit profile to detect anonymous sharing activities

Customizing OneDrive audit reports to fit your requirements

M365 Manager Plus audit reports come handy when you want to scrutinize and monitor specific attributes over the others. For example, the OneDrive File Accessed audit report, in general, displays all the file access operations performed. But using the filters available in M365 Manager Plus, you can tweak the audit report to display only the file access operations performed by specific users or the ones performed during a specific time or using a specific client IP address, and so on. By this, you can keep a close watch on activities performed by particular users or the activities performed outside business hours.

The OneDrive File Accessed audit profile being filtered for details on specific users, client IP, and time of occurrence

You may also use the Create New View option to get a customized summary view based on the attributes that you choose, like time or username.

The Create New View window in the OneDrive File Accessed audit with specific attributes such as Who, When, Activity, and Target selected to create a view with only these attributes

Learn more about how M365 Security Plus offers simple solutions to complex Microsoft 365 issues.

RELATED PRODUCTS
© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.