When your organization uses Microsoft 365 Insider Risk Management, alerts are generated when user activity matches a defined risk policy. These alerts often point to specific files stored in OneDrive that may have been shared, downloaded, or accessed in a suspicious way. As a compliance officer or security administrator, you need to verify which OneDrive files triggered the alert and assess whether the activity is legitimate or malicious. This article explains how to locate the alert in the Microsoft 365 compliance portal, review the associated OneDrive files, and take the appropriate action.
Key Takeaways: Checking OneDrive Files in Insider Risk Alerts
- Microsoft 365 compliance portal > Insider risk management > Alerts: The central location to view all insider risk alerts and filter by policy or date.
- Alert details pane > Activity explorer: Shows every file-related action for the user, including OneDrive file uploads, downloads, shares, and deletions.
- Activity explorer > File filter: Lets you narrow down the list to only OneDrive files by selecting the workload filter and typing the file name or path.
What Triggers an Insider Risk Alert for OneDrive Files
Insider Risk Management in Microsoft 365 monitors user behavior across Exchange, SharePoint, Teams, and OneDrive. When a user performs an action that matches a policy rule — such as downloading a large number of files from OneDrive to a personal device, sharing a file with an external domain, or deleting files shortly before leaving the company — the system generates an alert. Each alert contains a summary of the detected activity and a link to the user’s activity timeline.
The alert does not automatically list every OneDrive file the user touched. Instead, it provides a starting point: the user identity, the policy that fired, and the date range. To see the specific OneDrive files, you must open the alert and use the Activity explorer. This tool logs every file event with metadata including the file name, path, size, and the exact action performed.
Before you begin, ensure you have one of the following administrator roles assigned: Insider Risk Management Admin, Insider Risk Management Analyst, or Insider Risk Management Investigator. Without these roles, the Alerts tab and Activity explorer will not be visible.
Steps to Check OneDrive Files in an Insider Risk Alert
- Sign in to the Microsoft 365 compliance portal
Open a browser and go to https://compliance.microsoft.com. Sign in with an account that has the Insider Risk Management Analyst role or higher. - Navigate to Insider risk management > Alerts
In the left navigation pane, select Insider risk management. Then click Alerts. You will see a list of all alerts generated by your policies. Use the filter bar at the top to narrow by status, severity, policy name, or date range. - Open the specific alert
Click the alert that you want to investigate. The alert details pane opens on the right side. It shows the user name, the policy that triggered the alert, the date and time, and a short description of the activity. - Click View activity in the alert details pane
At the bottom of the alert details pane, click the View activity button. This opens the Activity explorer for that user, pre-filtered to the date range of the alert. - Apply the file filter to show only OneDrive files
In the Activity explorer, locate the filter bar above the activity list. Click the Add filter button. Select Workload from the drop-down menu, then check OneDrive. Click Apply. The list now shows only activities performed in OneDrive. - Review the file details in the activity list
Each row in the list represents a single file event. Columns include File name, File path, Activity (such as FileDownloaded, FileSharedExternally, FileDeleted), Date, and Size. Click any row to see additional metadata like the user’s IP address and device name. - Export the activity list for further analysis if needed
To save the list of OneDrive file events, click the Export button above the activity list. The data is downloaded as a CSV file. You can open it in Excel to sort, filter, or share with other investigators.
If the Alert Does Not Show OneDrive Files
The Activity explorer shows no OneDrive events
If you apply the Workload filter for OneDrive and the activity list is empty, the user may not have performed any OneDrive actions during the alert’s time window. Check whether the alert’s description mentions a different workload, such as SharePoint or Exchange. Remove the Workload filter and review all activities to see which workload actually triggered the alert.
The alert mentions a file but you cannot find it in the list
Some alerts include file names in the description text. If the file does not appear in the Activity explorer, the file may have been deleted after the activity occurred. OneDrive file deletions are logged as FileDeleted events. If the file was deleted before the alert was generated, the metadata may still be present in the audit log. Go to Audit in the compliance portal and search for the file name with the user’s account to retrieve the historical record.
You need to see the file content, not just metadata
The Activity explorer only shows metadata — file name, path, size, and action. It does not display the file content. To view the actual file, click the Open in Microsoft 365 link in the activity details pane. This opens the file in its native location in OneDrive, provided you have read access to the user’s OneDrive. If you do not have access, request a content review from the user’s manager or from a SharePoint administrator with the necessary permissions.
Activity Explorer vs Audit Log for OneDrive File Checks
| Item | Activity Explorer | Audit Log (Unified Audit Log) |
|---|---|---|
| Access method | Inside an insider risk alert or via the insider risk management dashboard | Audit tab in the compliance portal or via Search-UnifiedAuditLog PowerShell cmdlet |
| Data retention | Up to 30 days for the current alert context | Up to 90 days for Microsoft 365 E5, 180 days with E5 Compliance add-on |
| Filtering by workload | Built-in Workload filter for OneDrive, SharePoint, Teams, Exchange | Must filter by Workload parameter or search by user and date range |
| User interface | Optimized for incident investigation with timeline and activity grouping | Flat list of events; requires manual sorting |
| File content access | Open in Microsoft 365 link if the investigator has permissions | No direct link; must search for the file URL manually |
After you review the OneDrive files in the alert, you can assign a status to the alert — such as Dismissed, Confirmed, or Needs Investigation — from the alert details pane. If you confirm the activity is malicious, you can escalate the case to a formal investigation by clicking Create case. From there, you can add notes, assign reviewers, and track remediation steps.
For ongoing monitoring, consider creating a custom insider risk policy that focuses specifically on OneDrive file sharing with external domains. Use the Data leak policy template and set the threshold to trigger only on files shared from OneDrive. This reduces noise from SharePoint or Teams activities and lets you focus on the most common insider risk surface in OneDrive.
To further streamline your workflow, use the Ctrl + Shift + F keyboard shortcut in the Activity explorer to quickly search for a file name by keyword. This works in the browser-based interface and saves time when you are reviewing dozens of alerts in a single session.