How to Find OneDrive Files Shared With a Security Group

When you share OneDrive files with a Microsoft 365 security group, those files do not appear in the Shared list of the OneDrive web interface. The standard Shared view only shows files shared with individual people or Microsoft 365 groups, not mail-enabled security groups or distribution groups. This article explains how to locate these files using Microsoft 365 audit logs and the Microsoft Graph API. You will learn two methods to find files shared with a security group and understand the limitations of each approach.

Why OneDrive Shared With Security Groups Is Hidden From the Shared List

OneDrive for Business uses two distinct sharing permission types: individual sharing and group sharing. When you share a file with a security group, OneDrive records the permission as a group share but does not display it in the Shared tab on the web interface. The Shared tab only surfaces files shared with individual users or Microsoft 365 groups that have a user interface representation in the sharing picker.

Security groups, including mail-enabled security groups and distribution groups, are not shown in the OneDrive sharing picker by default. The OneDrive web app uses a different API endpoint for the Shared list that filters out permissions where the grantee is a security group. This is by design to reduce clutter in the Shared view, which is intended for files shared with people you know individually.

The underlying permission is still valid. Members of the security group can access the file using the direct link or through the Shared with Me view if they are signed in. However, the file owner cannot see it in their Shared list. To find these files, you must use the audit log or the Microsoft Graph API.

Method 1: Use Microsoft 365 Audit Log to Find Files Shared With a Security Group

The Microsoft 365 audit log records every sharing event, including when a file is shared with a security group. You can search the audit log to find all files shared with a specific security group. This method requires the Audit log search role, which is assigned by default to Exchange admins, SharePoint admins, and Global admins.

1. Open the Microsoft 365 Defender portal
   Go to https://security.microsoft.com and sign in with an account that has the Audit log search role.
2. Navigate to Audit
   In the left navigation, select Audit under the Solutions section. If you do not see Audit, click Show all first.
3. Configure the audit search
   Set the Date range to the period when the file was shared. Under Activities, select SharingPermissionAddedBySecurityGroup. This activity name specifically captures sharing events where a security group is the grantee.
4. Run the search
   Click Search. The results will populate in the table below. Each result shows the user who shared the file, the file URL, and the security group name.
5. Export the results
   Click Export and select Download all results to save the audit log as a CSV file. Open the CSV in Excel to filter by the security group name or user.

The CSV file includes columns for CreationTime, User, Operation, ObjectId (the file URL), and TargetGroupName (the security group name). Use the TargetGroupName column to find all files shared with a specific security group.

Method 2: Use Microsoft Graph API to List OneDrive Files Shared With a Security Group

For IT administrators who need to automate the discovery of files shared with security groups, the Microsoft Graph API provides a programmatic approach. This method uses the /sites/{site-id}/drive/items endpoint with a filter on the sharedWith property. You need the object ID of the security group, which you can get from the Microsoft Entra admin center.

1. Get the security group object ID
   Go to https://entra.microsoft.com and sign in as a Global admin. Select Groups > All groups, find the security group, and copy the Object ID value.
2. Get the OneDrive site ID
   Use the Graph API endpoint https://graph.microsoft.com/v1.0/users/{user-principal-name}/drive to get the drive ID for the user’s OneDrive. Replace {user-principal-name} with the user’s email address. The response includes the id field, which is the drive ID.
3. List items with security group permissions
   Call the Graph API endpoint: GET /drives/{drive-id}/items?$expand=permissions&$filter=permissions/any(p:p/grantedToV2/group/id eq '{security-group-object-id}'). Replace {drive-id} with the drive ID from step 2 and {security-group-object-id} with the object ID from step 1.
4. Parse the response
   The API returns a JSON object with an array of value items. Each item has a name field (the file name) and a webUrl field (the direct link to the file). The permissions array confirms the group has access.

You can run this API call using a tool like Graph Explorer, Postman, or a PowerShell script. The filter only works if the security group has been granted explicit permissions on the file. If the file is shared with a group that is nested inside another group, the filter may not return the file unless the explicit permission is on the nested group.

Limitations and Things to Check

The file was shared with a distribution group, not a security group

Distribution groups are also not shown in the OneDrive Shared list. However, the audit log activity SharingPermissionAddedBySecurityGroup does not capture distribution group shares. For distribution groups, use the SharingPermissionAdded activity and filter the CSV by the group name in the TargetGroupName column.

The audit log search returns no results

Audit logging must be enabled in your tenant. Go to the Microsoft 365 Defender portal > Audit > Turn on auditing if it is not already enabled. Also verify that the file was shared after auditing was turned on. Audit logs are retained for 90 days for users with an Office 365 E3 license and up to one year for E5 licenses.

The Graph API returns an empty response

The filter on grantedToV2/group/id only matches permissions where the group is explicitly granted access. If the security group is a member of another group that has access, the file will not appear in the filter results. Use the audit log method instead for nested group scenarios.

The file was shared with a Microsoft 365 group, not a security group

Microsoft 365 groups do appear in the OneDrive Shared list. If you are looking for files shared with a Microsoft 365 group, use the OneDrive web Shared view and filter by People to see the group name. The audit log and Graph API methods described above are only needed for security groups.

Audit Log Search vs Microsoft Graph API: Key Differences

Item	Audit Log Search	Microsoft Graph API
Access required	Audit log search role	Application permissions or delegated permissions with Sites.Read.All
Data retention	90 days to 1 year depending on license	No retention limit, returns current permissions
Supports nested groups	Yes, captures the explicit share event	No, only matches explicit group permissions
Automation	Manual search or export to CSV	Fully scriptable with PowerShell or REST calls
Granularity	Shows who shared the file and when	Shows current permissions but not the sharing history

The audit log search is the simplest method for a one-time investigation. The Graph API is better for recurring scans or integration with existing management tools.

You can now find OneDrive files shared with a security group using either the Microsoft 365 audit log or the Microsoft Graph API. Start with the audit log search if you need a quick answer for a single security group. For ongoing monitoring, set up a PowerShell script that calls the Graph API and writes the results to a report. Remember that the OneDrive Shared view will never show these files, so you must rely on these two methods to audit security group sharing.