When you search the Microsoft 365 audit log for file download activity, the expected events may be missing. This leaves security teams without visibility into who accessed sensitive documents. The root cause is that SharePoint Online logs file downloads differently than other file operations. This article explains why download events are missing from the audit log and provides workarounds to capture this activity.
File download events in SharePoint are logged only under specific conditions. The default audit configuration records file downloads when a user opens or downloads a file from the browser. However, downloads triggered by the OneDrive sync client, third-party apps, or certain API calls are not captured. This gap can make it appear that no one downloaded a file when they actually did.
This article covers the technical reasons behind missing download events and offers practical workarounds. You will learn how to adjust audit log settings, use alternative logging methods, and review related events that can confirm file access.
Key Takeaways: How to Handle Missing File Download Audit Events
- Microsoft 365 Defender > Audit > Audit log search: The primary tool for reviewing audit events, but it does not log all download types.
- SharePoint admin center > Access control > Device access policies: Enables conditional access logging that can capture download attempts.
- File viewed event (Event ID 16): A related event that often appears when a file is opened in the browser, which can serve as a proxy for download activity.
Why SharePoint Audit Logs Do Not Capture All File Downloads
The Microsoft 365 audit log records many user activities in SharePoint and OneDrive. However, file download events are not as comprehensive as other operations like file upload, delete, or rename. This happens because SharePoint treats file downloads as a read operation rather than a distinct event in many scenarios.
Download Events That Are Logged
When a user clicks a file link in a SharePoint document library and chooses Download from the browser, the audit log records a File downloaded event. This event appears with the operation name FileDownloaded and includes the user, file name, and site URL. This is the only scenario where a direct download event is logged.
Download Events That Are Not Logged
Several common actions do not generate a File downloaded event:
- OneDrive sync client: When a file syncs to a user’s local device, the sync client downloads the file. This activity is not logged as a download event because the sync client uses a different API protocol.
- Third-party apps and API calls: Applications that access SharePoint via Microsoft Graph or REST APIs may download files without triggering an audit event. The API call type determines whether logging occurs.
- Multiple file downloads in a zip: When a user selects several files and downloads them as a single zip archive, the audit log records one File downloaded event for the zip file, not for each individual file inside it.
- Printing or opening in client app: If a user opens a file in Microsoft Office desktop app from SharePoint, the file is downloaded to the local cache. This action may not appear as a download event unless the user explicitly saves a copy.
Audit Log Retention and Licensing
Audit log retention depends on the Microsoft 365 license. Users with an E5 license retain audit records for one year. E3 licenses retain records for 90 days. If you are searching for events older than the retention period, they will not appear. Additionally, the audit log must be turned on for your tenant. By default, audit logging is enabled for all Microsoft 365 organizations, but an administrator may have disabled it.
Workarounds to Capture or Verify File Download Activity
Since direct download events are limited, use the following workarounds to monitor file access.
Use the File Viewed Event as a Proxy
- Open the Microsoft 365 Defender portal
Go to Microsoft 365 Defender > Audit > Audit log search. Sign in with an account that has the Audit Log or Security Reader role. - Search for File Viewed events
Under Activities, select File and page activities then choose File viewed. This event fires when a user opens a file in the browser. It does not guarantee a download, but it indicates the file was accessed. For many security reviews, this is sufficient. - Review the event details
In the search results, click each event to see the user, file name, site URL, and timestamp. Use this data to identify who accessed a file and when.
Enable Conditional Access App Control Logging
- Go to SharePoint admin center
Sign in to Microsoft 365 admin center > SharePoint. Under Policies, select Access control. - Configure device access policies
Choose Device access policies. Set Allow access only from devices that comply with policy or Block access from unmanaged devices. These policies generate additional logs in Azure AD sign-in logs and Conditional Access reports. These logs include download attempts that the standard audit log misses. - Review sign-in logs
Go to Azure AD > Sign-in logs. Filter by the user and application. Look for Conditional access events that show when a user accessed SharePoint. While not a direct download event, it confirms the user connected to the site.
Use SharePoint Site Collection Audit Settings
- Open site settings
Navigate to the SharePoint site. Click the gear icon and select Site settings. Under Site collection administration, click Site collection audit settings. - Enable audit for document download
Check the box for Viewing items or downloading items. This setting logs events to the site collection audit log, which is separate from the Microsoft 365 audit log. You can view these logs from Site collection audit log reports in the same settings area. - Generate a report
Under Site collection audit log reports, select View auditing reports. Choose Content viewing report to see download and view events for that site. This report includes downloads from the OneDrive sync client and some API calls.
Monitor via Microsoft 365 Defender Alerts
- Create a custom alert policy
In Microsoft 365 Defender > Policies & rules > Alert policy. Click New alert policy. Name it File download activity. - Set the condition to FileDownloaded
Under Conditions, choose Activity is and select FileDownloaded. Set the threshold to trigger after one occurrence. This alert will notify you when a direct download event is logged. - Review alerts
When an alert fires, investigate the event in the audit log. This method does not capture all downloads but ensures you are notified for the ones that are logged.
Common Misconceptions and Limitations
Does the OneDrive Sync Client Log Downloads?
No. The OneDrive sync client does not generate a File downloaded audit event. The sync client uses the FileSyncWrite operation, which is logged as a file update, not a download. To see sync activity, review the FileSyncWrite events in the audit log, but these do not indicate a manual download by the user.
Can I Enable Download Logging for All Users?
There is no setting in SharePoint or Microsoft 365 to log every file download. The audit log is designed to capture significant events, not every read operation. Microsoft considers a download from the browser as a significant event, but a sync or API download is treated as a background operation. The workarounds above are the only ways to increase visibility.
What About File Downloads from External Users?
External users who access SharePoint via anonymous sharing links do not generate any audit events for downloads. The audit log only records activity for authenticated users. If you need to track external downloads, disable anonymous sharing links and require external users to sign in with a Microsoft account or Azure AD guest account.
| Item | Direct Download Event Logged | Workaround Available |
|---|---|---|
| Browser download from SharePoint | Yes | Not needed |
| OneDrive sync client download | No | Site collection audit report |
| Third-party app via API | Depends on API call | Conditional Access logs |
| Download as zip archive | Only zip file event | File viewed event for each file |
| External user via anonymous link | No | Require authenticated access |
You now understand why file download events are missing from the Microsoft 365 audit log. The main cause is that SharePoint only logs browser-initiated downloads, not sync client or API downloads. Use the File viewed event as a proxy, enable site collection audit settings, and review Conditional Access logs to capture more activity. For the most accurate tracking, disable anonymous sharing links and require authenticated access for external users. This approach will give you the best visibility into file download activity in your tenant.