Compliance audits require a clear record of who has access to which files and folders in OneDrive for Business. Without proper documentation, you cannot prove that external sharing is controlled or that sensitive data is restricted to authorized users. Many IT administrators rely on manual checks, which are time-consuming and error-prone. This article explains how to generate permission reports using built-in Microsoft 365 tools and PowerShell scripts. You will learn the exact steps to produce compliance-ready documentation for any OneDrive site.
Key Takeaways: Document OneDrive Permissions for Compliance
- Microsoft 365 admin center > Reports > Usage > OneDrive: Provides basic sharing activity data but lacks per-file permission details needed for compliance.
- Microsoft 365 Purview compliance portal > Audit: Records sharing events such as “Added member to SharePoint site” and “Shared link created” for user-level activity tracking.
- SharePoint Online Management Shell: PowerShell cmdlet
Get-SPOSiteandGet-SPOSiteGroupretrieve site collection administrators and permission groups for every OneDrive site.
Overview of OneDrive Permission Documentation for Compliance
OneDrive for Business stores files in a dedicated SharePoint site collection for each user. Permissions are managed at the site level and the item level. Compliance documentation must capture three layers: site administrators, external sharing settings, and direct file or folder access grants. Microsoft 365 provides two primary methods to collect this data. The audit log in the Purview compliance portal records permission changes over time. The SharePoint Online Management Shell exports current permission snapshots. A complete compliance report combines both sources to show who had access at any point during the audit period.
Before you begin, confirm you have the required roles. You need the SharePoint Administrator role or Global Administrator role in Microsoft 365. For audit log access, the Audit Logs role in Purview is required. These roles are available in the Microsoft 365 admin center under Active users. Assign the roles to a dedicated compliance admin account rather than using your daily user account.
Steps to Document OneDrive Permissions Using the Purview Audit Log
- Open the Microsoft 365 Purview compliance portal
Sign in to https://compliance.microsoft.com with a compliance admin or global admin account. Select Audit from the left navigation menu. - Search for permission-related events
Set the date range to cover your audit period. Under Activities, select Sharing and access requests. Choose Added member to SharePoint site, Changed sharing settings on site, and Shared link created. Click Search. - Export the audit log results
After the search completes, click Export and select Export all results. The file downloads as a CSV. Open it in Excel to filter by OneDrive site URL, which typically starts withhttps://yourtenant-my.sharepoint.com/personal/. - Filter for external sharing events
In the CSV, filter the Item column for “external” or “guest” to identify shares with people outside your organization. Record the user who initiated the share, the target user, and the timestamp.
The audit log captures events for up to 90 days in Microsoft 365 E3 and E5 licenses. For longer retention, enable Audit (Premium) in the Purview portal under Audit > Audit retention policies.
Steps to Document OneDrive Permissions Using PowerShell
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator. RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. If prompted, confirm the installation from PSGallery. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Enter your SharePoint admin credentials when prompted. - Get all OneDrive site collections
RunGet-SPOSite -IncludePersonalSite $true -Limit all | Where-Object {$_.Url -like "/personal/"} | Select-Object Url, Owner, SharingCapability. This lists every OneDrive site URL, its owner, and the external sharing setting. - Export site permissions to a CSV file
Run the following script to collect all site group members for each OneDrive site:Get-SPOSite -IncludePersonalSite $true -Limit all | Where-Object {$_.Url -like "/personal/"} | ForEach-Object { $site = $_.Url; Get-SPOSiteGroup -Site $site | Select-Object @{Name="SiteUrl";Expression={$site}}, Title, Users } | Export-Csv -Path "OneDrivePermissions.csv" -NoTypeInformation - Review the exported CSV
Open the file in Excel. The Users column contains semicolon-delimited email addresses. Use Excel’s Text to Columns feature to split them into individual rows for easier auditing. Save a copy with a date stamp for your records.
PowerShell exports a snapshot of current permissions only. Pair this with audit log exports to show historical changes.
Common Issues When Documenting OneDrive Permissions
Audit log returns no results for a specific user
The search may return empty if the date range is too narrow or if the user did not perform any sharing activity. Extend the range to the maximum retention period. Also verify that audit logging is enabled in the Purview portal under Audit > Audit log search.
PowerShell script fails with access denied
The account used to connect must have the SharePoint Administrator role. If you use a global admin account, ensure the account is not blocked by Conditional Access policies. Run Connect-SPOService again with the -Credential parameter to force reauthentication.
OneDrive site URLs are missing from the CSV export
The -IncludePersonalSite $true parameter is required. Without it, Get-SPOSite returns only team sites. If sites are still missing, confirm that the user has a OneDrive license assigned in the Microsoft 365 admin center.
Audit Log vs PowerShell Snapshot: Best Methods for Compliance
| Item | Purview Audit Log | PowerShell Snapshot |
|---|---|---|
| Data type | Historical permission change events | Current permission state |
| Retention | 90 days default, up to 10 years with Audit (Premium) | Only the moment of export |
| External sharing detection | Records each share event with target email | Shows current sharing capability setting but not past shares |
| User-level detail | Shows who performed the action and who received access | Shows group membership but not direct item-level permissions |
| Automation suitability | Requires manual CSV export or Graph API calls | Fully scriptable with scheduled tasks |
For a complete compliance record, run the PowerShell snapshot weekly and export the audit log monthly. Store both files in a secured SharePoint document library with version history enabled.
You can now generate permission documentation for any OneDrive site using the Purview audit log and PowerShell. Run the PowerShell snapshot weekly to maintain a current access inventory. For historical changes, export the audit log monthly with the “Added member to SharePoint site” filter. As an advanced tip, schedule the PowerShell script using Windows Task Scheduler with a service account that has the SharePoint Administrator role and an app password for unattended authentication.