When you need to prove who accessed, shared, or deleted a file in OneDrive for Business, you must export audit evidence that meets legal or compliance standards. Microsoft 365 records every action in the unified audit log, but finding and exporting the right data requires specific steps in the Microsoft 365 Defender portal. This article explains how to search the audit log for OneDrive events, export the results to a CSV file, and prepare the evidence for review by investigators or legal teams.
Key Takeaways: How to Export OneDrive Audit Evidence
- Microsoft 365 Defender portal > Audit: The single location to search all OneDrive events including file access, sharing, deletion, and permission changes.
- Search criteria — Date range, user, activity, and file path: Narrow the audit log to relevant events before exporting to avoid data overload.
- Export > Download all results: Generates a CSV file with every matching record, ready for analysis in Excel or import into eDiscovery tools.
What the Unified Audit Log Captures for OneDrive
Microsoft 365 records all OneDrive for Business activities in the unified audit log. This log is part of Microsoft 365 Purview and stores data for 90 days by default for users with an E3 license and 365 days for E5 or add-on licenses. Each audit record contains the user who performed the action, the exact time in UTC, the affected file or folder, the action type, and the client device or IP address.
The audit log captures these OneDrive events:
File and Folder Operations
Every upload, download, delete, rename, move, copy, and version change is recorded. For example, FileDeletedFirstStageRecycleBin logs when a user deletes a file to the recycle bin, and FileDeletedSecondStageRecycleBin logs permanent deletion from the recycle bin.
Sharing and Permission Changes
Sharing actions include SharingInvitationCreated when a user sends a share link, AnonymousLinkCreated for anyone-with-the-link shares, and PermissionChange when someone modifies access levels. The log records the target user or group and the permission type.
Sync and Client Activity
Events like FileSyncUploadedFull and FileSyncDownloadedFull show when files are synced from the OneDrive client. This data helps verify whether a file was accessed from a specific device.
To export evidence, you must have the Audit Logs role in Microsoft 365 Purview. Global admins, Compliance admins, and Audit Log admins have this permission by default. Users without these roles cannot search or export audit data.
Steps to Export OneDrive Audit Evidence in the Microsoft 365 Defender Portal
Follow these steps to search the audit log for OneDrive events and export the results to a CSV file. The process takes about 10 minutes for a standard investigation.
- Sign in to the Microsoft 365 Defender portal
Open your browser and go to https://security.microsoft.com. Sign in with an account that has the Audit Logs role or Global admin privileges. - Open the Audit search page
In the left navigation, select Audit under the Solutions section. If you do not see Audit, click Show all at the bottom of the navigation pane. - Set the date range for the investigation
In the Date and time range dropdown, select a custom range. For most investigations, choose a period that covers the incident window plus one day before and after. The maximum range is 90 days for standard licenses. - Select OneDrive-specific activities
Under Activities, click the dropdown and search for File or Sharing. Check the boxes for relevant activities such as FileAccessed, FileDeleted, FileModified, SharingInvitationCreated, and AnonymousLinkCreated. You can select multiple activities at once. - Specify the user or file path
In the Users field, enter the email address of the user whose OneDrive you are investigating. To narrow by a specific file, enter the full URL path in the File, folder, or site field. The path format is https://tenant-my.sharepoint.com/personal/user_domain_com/Documents/filename.docx. - Run the search
Click Search. The portal displays results in a table below the search form. Results may take up to 30 minutes to appear for recent events. - Review the search results
Examine the Date, User, Activity, and Item columns to confirm the records match your investigation scope. Click any row to view the full event details including IP address and client application. - Export all results to CSV
Click the Export button at the top of the results pane. Select Download all results. The portal generates a CSV file named AuditLogSearch_yyyy-MM-dd_HHmmss.csv and downloads it to your default browser download folder. - Verify the exported file
Open the CSV in Excel. The file contains columns for CreationDate, UserIds, Operations, AuditData, and Item. The AuditData column includes JSON-formatted details. Use Excel filters to sort by user or activity type.
If the Audit Export Does Not Contain Expected Events
No Results Appear for the Selected Date Range
The audit log has a processing delay of up to 30 minutes for most OneDrive events. If you are searching for events from the last hour, wait 30 minutes and run the search again. For events older than 90 days, you need a Microsoft 365 E5 license or a Purview Audit (Standard) add-on. Without the extended retention, events older than 90 days are not available.
Missing Sharing or Permission Events
The audit log records sharing events only when the share link is created or modified. If a user copied a share link and sent it outside the system, that action is not logged. For complete sharing evidence, also review the Sharing links report in the OneDrive admin center under Sharing > Manage sharing links.
Export File Contains Too Many Irrelevant Events
Use more specific filters before exporting. Add the exact file path in the File, folder, or site field and select only a few activity types. You can also filter by User to limit results to a single person. Running a broad search and then filtering in Excel is slower and may miss critical records if the export size exceeds the 50,000-row limit.
Unified Audit Log vs OneDrive Admin Center Activity Report: Comparison for Evidence Collection
| Item | Unified Audit Log (Microsoft 365 Defender) | OneDrive Admin Center Activity Report |
|---|---|---|
| Data retention | 90 days default, 365 days with E5 or add-on | 30 days |
| Export format | CSV with full JSON AuditData | CSV with limited columns |
| Activity types covered | All file, folder, sharing, sync, and admin events | File views, edits, shares, and deletes only |
| Search by user | Yes, by email address | Yes, by user name |
| Search by file path | Yes, exact URL | No |
| IP address in results | Included in AuditData JSON | Not included |
| Suitable for legal evidence | Yes, includes all metadata | No, insufficient detail |
For investigations that require legally admissible evidence, always use the unified audit log in the Microsoft 365 Defender portal. The OneDrive admin center report is useful for quick operational reviews but does not contain the detailed metadata that auditors and legal teams require.
After you export the CSV file, open it in Excel and use filters to isolate events by user, date, or activity type. Convert the AuditData JSON column to a readable format using Excel’s Power Query or the JSON viewer in a text editor. Save the cleaned file as a password-protected Excel workbook for submission to the investigation team.
To prepare for future investigations, enable audit logging for all users in the Microsoft 365 Defender portal under Audit > Settings. Verify that at least one admin has the Audit Logs role assigned. For extended retention, upgrade to a Microsoft 365 E5 license or purchase the Purview Audit (Standard) add-on for your tenant.