OneDrive for Business stores sensitive files that need protection from unauthorized access. Direct access occurs when someone bypasses sharing links and opens a file directly from the OneDrive folder or the web interface. This article explains how to audit direct access events using the Microsoft 365 Purview compliance portal and audit log search.
Direct access events are recorded in the unified audit log when a user opens a file from OneDrive or SharePoint. The audit log captures the user, the file, the action type, and the timestamp. You can filter these logs to identify who accessed sensitive files and whether the access was legitimate.
This guide covers enabling audit logging, searching for direct access events, interpreting the results, and setting up alerts for suspicious activity. You will also learn how to export audit records for compliance reporting.
Key Takeaways: Auditing Direct Access on Sensitive OneDrive Files
- Microsoft 365 Purview compliance portal > Audit: Central location to search and export audit logs for direct file access events.
- Audit log search > Activities > FileAccessed: Filter to show only direct file access events, excluding other file operations.
- Alert policies > Custom alert: Create real-time alerts when specific users or files are accessed directly from OneDrive.
What Direct Access Means in OneDrive for Business
Direct access in OneDrive refers to any file open operation that does not use a shared link. When a user with at least read permissions opens a file from the OneDrive folder on their PC, the OneDrive mobile app, or the OneDrive web interface, the system logs a FileAccessed event. This is different from accessing a file through a sharing link, which logs a FilePreviewed or FileDownloaded event depending on the link type.
Direct access events are important for compliance because they show who actually opened sensitive files. A user who should not have access to a file might open it directly if they were granted permissions through group membership or delegated access. Auditing these events helps security teams detect data exfiltration attempts, insider threats, or accidental exposure.
Prerequisites for Audit Logging
Before you can audit direct access events, you need the following:
- Microsoft 365 E5 or E5 Compliance license: Audit logging for advanced events requires an E5 license. E3 licenses provide basic audit log search.
- Audit log search enabled: In Microsoft 365, audit log search is enabled by default. Verify this in the Purview compliance portal under Audit > Audit settings.
- Permissions: You need the Audit Logs role or the View-Only Audit Logs role in the Purview compliance portal. Global admins have these permissions by default.
Steps to Audit Direct Access on Sensitive OneDrive Files
Follow these steps to search the audit log for direct access events on specific files or folders in OneDrive for Business.
- Open the Microsoft 365 Purview compliance portal
Sign in to compliance.microsoft.com with an account that has the Audit Logs role. From the left navigation, select Audit under the Solutions section. - Configure the audit log search parameters
On the Audit page, click Search. Under Date and time range, select a range that covers the period you want to investigate. For sensitive files, a 90-day range is standard. Under Activities, select File and page activities, then check FileAccessed. This filters the results to direct file open events only. - Specify the sensitive file or folder
In the File, folder, or site field, enter the full URL of the sensitive file or folder. You can get this URL by opening the file in OneDrive on the web and copying the browser address. For example:https://contoso-my.sharepoint.com/personal/user_contoso_com/Documents/Financials/Q4_Report.xlsx. Leave the field blank to see all direct access events for all files. - Run the search
Click Search. The portal displays results in a table. Each row shows the date, user who accessed the file, the action (FileAccessed), the file name, and the location (OneDrive URL). To see details, click any row to open the Details pane. - Export the results for compliance records
Click Export at the top of the results table. Choose Export all results to download a CSV file with all events. You can open this file in Excel to filter by user, date, or file name. This export is useful for compliance audits or legal discovery.
Filtering Results for Specific Users or Files
After the initial search, you can narrow results further:
- By user: In the search results, click the User column header to sort. Or use the Users filter in the search pane to specify one or more user email addresses.
- By file: Use the File search box in the results toolbar to type a partial file name. The portal filters the displayed results in real time.
- By date: Click the Date column header to sort ascending or descending. Use the date range sliders at the top of the results page to zoom into a specific day or hour.
If the Audit Log Shows Unexpected Direct Access
When you find direct access events from unexpected users, use the following steps to investigate and remediate.
“FileAccessed event from a user who should not have access”
This situation usually means the user has inherited permissions through a SharePoint group or a Microsoft 365 group. Check the permissions on the file or its parent folder:
- In OneDrive on the web, navigate to the file.
- Click the file name, then select Manage access.
- Review the list of users and groups. If the user appears as a member of a group, click the group name to see its members.
- Remove the user from the group or change the file permissions to direct only specific users.
“Need to set up real-time alerts for direct access to sensitive files”
Create a custom alert policy in the Purview compliance portal:
- Go to Alert policies under Policies in the left navigation.
- Click + New alert policy. Give it a name like “Direct Access to Sensitive Files”.
- Under Select activities, choose FileAccessed. Under Conditions, add the file URL or a folder path.
- Set the alert threshold to trigger on a single event. Choose email notification for the security team.
- Click Save. The policy starts monitoring within 30 minutes.
Direct Access vs Shared Link Access: Key Differences
| Item | Direct Access | Shared Link Access |
|---|---|---|
| Audit event | FileAccessed | FilePreviewed, FileDownloaded |
| Permissions required | Direct or inherited permissions on the file or folder | Link permissions (view, edit, or download) |
| Typical user | Owner, co-owner, or group member with access | Anyone with the link, including external users |
| Risk level | Medium — access is controlled by permissions but can be inherited unexpectedly | High — links can be forwarded or leaked |
You can now search the audit log for direct access events on sensitive OneDrive files, export the results, and create alert policies. Next, set up a recurring weekly audit report for all files in your organization’s sensitive document library. As an advanced tip, use the Search-UnifiedAuditLog PowerShell cmdlet to automate audit log queries and integrate them with your security information and event management system.