You are looking for file download events in the Microsoft 365 audit log but cannot find them. The search returns results for uploads, deletes, and edits, yet download actions are missing. This happens because the default audit log configuration does not include the specific operations required to record file downloads. This article explains why download events are hidden and provides the exact steps to enable and locate them.
Key Takeaways: Audit Log Download Events
- Unified Audit Log in Microsoft 365 Defender: File downloads are recorded only if the FileAccessed operation is included in the audit search. By default, this operation is filtered out in some search views.
- Search with the FileAccessed operation: You must add the FileAccessed operation explicitly to your audit log search query. Standard searches for FileDownloaded return no results because that operation name does not exist.
- Enable auditing for SharePoint and OneDrive: The AuditLog setting in the SharePoint admin center must be turned on for download events to be captured. This setting is enabled by default for most tenants, but it can be disabled by a previous administrator.
Why File Download Events Are Missing from the Audit Log
The root cause is a naming mismatch. Many administrators assume that file downloads are recorded under an operation named FileDownloaded. Microsoft 365 does not use that name. Instead, the audit log records file downloads under the operation FileAccessed. The FileAccessed operation fires whenever a user opens, previews, or downloads a file from SharePoint or OneDrive. If you search for FileDownloaded, the audit log returns zero results because that operation does not exist.
A second cause is the audit log search scope. The default search in the Microsoft 365 Defender portal may not include FileAccessed in the pre-populated list of activities. Users must manually add this operation to their search query. Without it, download events remain hidden even though they are being recorded.
A third cause is the auditing configuration on the SharePoint side. The SharePoint admin center has a setting called Audit log trimming and a separate toggle for Audit log in the tenant settings. If auditing is disabled for SharePoint, no file access events are sent to the unified audit log. This setting is enabled by default, but a tenant administrator may have turned it off during a security cleanup.
Steps to Enable and Find File Download Events
- Verify that auditing is enabled for SharePoint
Open the SharePoint admin center at https://admin.microsoft.com/SharePoint. Go to Policies > Sharing and then click Audit log in the left navigation. Ensure the toggle for Audit log is set to On. If it is off, turn it on and click Save. - Go to the Microsoft 365 Defender audit log
Navigate to https://security.microsoft.com/auditlogsearch. Sign in with an account that has the Audit Log role or Global Administrator role. - Select the correct date range
In the Date field, choose the range that covers the time period when the file download occurred. Audit logs retain data for 90 days for Microsoft 365 E3 licenses and up to one year for E5 licenses. - Add the FileAccessed operation
Click the Activities dropdown. In the search box within the dropdown, type FileAccessed. Select the checkbox next to FileAccessed from the list. Do not search for FileDownloaded because it does not exist. - Filter by specific users or files (optional)
In the Users field, enter the username of the person who performed the download. In the File field, enter the filename or part of the filename. These filters narrow the results. - Run the search
Click Search. The results list shows each FileAccessed event. To view details, click the event entry. In the details pane, look for Item type and Operation. The operation will be FileAccessed. The Item type will be File. Scroll down to Affected items to see the exact file path.
If Audit Log Still Does Not Show Download Events
Search returns no FileAccessed events at all
If the search returns zero results for FileAccessed, auditing may be completely disabled at the tenant level. Go to Microsoft 365 Defender > Audit > Audit log. Look for a banner that says Auditing is turned off. If you see it, click Start recording user and admin activity. This enables auditing for the entire tenant. Changes take effect within 30 minutes.
File download events appear but are missing details
Some download events show only a GUID in the file path instead of the actual filename. This occurs when the file is downloaded from a SharePoint site that uses Versioning with Require Check Out enabled. The GUID is the internal identifier for the file version. To see the real filename, open the event details and look for SourceFileName in the Additional properties section.
Bulk downloads from SharePoint sync client are not recorded
When a user syncs a SharePoint library with the OneDrive sync client, the initial sync generates many FileAccessed events. However, subsequent sync operations that download only metadata changes do not trigger FileAccessed. This is by design. Only actual file content downloads are logged. To verify a sync download, check the Sync events in the audit log under operation FileSyncDownloadedFull.
FileAccessed vs FileDownloaded: Operation Name Comparison
| Item | FileAccessed | FileDownloaded |
|---|---|---|
| Exists in audit log | Yes | No |
| Records file downloads | Yes | N/A |
| Records file previews | Yes | N/A |
| Records file opens | Yes | N/A |
| Searchable in Defender | Yes, if manually added | No results returned |
Use FileAccessed in all audit log searches to capture download events. Do not use FileDownloaded because it will never return results.
Conclusion
You can now find file download events by searching the audit log for the FileAccessed operation. Verify that auditing is enabled in the SharePoint admin center under Policies > Audit log. If searches return no results, turn on tenant-wide auditing in Microsoft 365 Defender. For advanced filtering, use the SourceFileName field in the event details to identify files downloaded from version-controlled libraries. This approach gives you complete visibility into file access and download activity across SharePoint and OneDrive.