You need to see every file that has been shared with someone outside your organization across a SharePoint site. SharePoint does not display all external shares in one list by default. This article explains how to use the SharePoint admin center and site collection audit logs to generate a complete report of externally shared files.
The root cause is that SharePoint sharing permissions are applied at multiple levels: site, folder, and individual file. Without a centralized report, you must check each location manually. The solution is to configure audit log search for the SharingEvent type and export the results to a CSV file.
This guide covers the prerequisite permissions, the step-by-step process to run the audit report, and how to interpret the results. You will also learn how to filter the report to show only external shares.
Key Takeaways: Audit Log Search for External File Shares
- Microsoft 365 Defender portal > Audit > Search: The only built-in tool to find all shared files across a SharePoint site without manual inspection.
- SharingEvent in audit log: The specific activity type that records when a file is shared with an external user via a sharing link or direct invite.
- CSV export and Excel filter: Required to isolate external shares because the raw audit log includes internal shares and other file events.
Why SharePoint Does Not Show All Shared Files in One Place
SharePoint stores sharing permissions as access control entries on each item. A file can be shared through a site-level sharing link, a folder-level link, or a direct invitation. No single page in the SharePoint site interface aggregates these entries across all libraries and folders. The audit log in Microsoft 365 captures every sharing action as an event. By querying this log and filtering for external shares, you can produce a complete list.
The audit log is enabled by default for organizations with Exchange Online, SharePoint Online, or Azure AD Premium P1 licenses. You must be assigned the Audit Logs role or the View-Only Audit Logs role in the Microsoft 365 Defender portal. Global Administrators and Compliance Administrators have this role by default. Site owners without these roles cannot run the audit search themselves.
Steps to Generate a Report of All Shared Files in a SharePoint Site
Follow these steps to create a CSV report that lists every file shared externally on a specific SharePoint site. You will use the Microsoft 365 Defender portal audit search.
- Open the Microsoft 365 Defender portal
Go tohttps://security.microsoft.comand sign in with an account that has the Audit Logs role or Global Administrator permissions. In the left navigation, select Audit under the Solutions section. - Configure the audit search parameters
In the Search tab, set the Date range to cover the period you want to check. For a full report, select the maximum range of 90 days. Under Activities, typeSharingand select Shared file, folder, or site from the dropdown list. This activity name corresponds to theSharingEventtype in the audit log. - Filter by the specific SharePoint site
In the File, folder, or site field, enter the URL of your SharePoint site. For example,https://yourtenant.sharepoint.com/sites/Marketing. Leave all other fields at their defaults. Click Search. - Review the search results
The results page shows a list of events. Each row includes the date, the user who performed the share, the file name, and the target user or link type. The Activity column displays Shared file, folder, or site. The Item column shows the file path within the site. - Export the results to CSV
Click Export at the top of the results pane. Choose Export all results and save the CSV file to your computer. The export includes all sharing events for the site within the selected date range, including shares to internal users. - Filter the CSV to show only external shares
Open the CSV in Excel. Look for the column named UserKey. This column contains the email address or UPN of the person the file was shared with. If the file was shared via an anonymous link, the UserKey column shows AnonymousLink. Add a filter on the UserKey column and select only values that contain your tenant domain, external domains, or AnonymousLink. To find external users, look for email domains that are not your organization’s domain. For example, if your tenant iscontoso.com, any email ending in@partner.comor@gmail.comis an external share. - Save the filtered list as a new report
Copy the filtered rows to a new worksheet or save the workbook with a descriptive name. This file now contains only the files shared externally from your SharePoint site.
Common Issues When Finding Shared Files
Audit search returns no results
If the search returns zero events, verify that audit logging is enabled for your organization. Go to the Microsoft 365 Defender portal, select Audit, and check the Audit log search status at the top of the page. If it says Turn on auditing, click it and wait up to 24 hours for past events to populate. Also confirm that the date range includes a time when sharing activity occurred.
CSV export includes too many rows to filter manually
For large sites with thousands of sharing events, use Excel Power Query to filter the CSV before loading it. In Excel, go to Data > Get Data > From File > From Text/CSV. Select your file. In the preview window, click Transform Data. Filter the UserKey column as described in step 6. Click Close & Load to import only the filtered rows.
Cannot identify which files were shared with specific external users
The UserKey column shows the target user for direct invitations. For anonymous sharing links, the value is AnonymousLink. To see the actual link type, look at the AuditData column. This column contains a JSON object. Copy the value of one cell, paste it into a text editor, and find the SharingLinkType field. Values include AnonymousAccess, CompanyAccessible, and SpecificPeople.
Audit Search vs Manual Check: Key Differences
| Item | Audit Log Search | Manual Site Check |
|---|---|---|
| Scope | All files and folders across one or more sites | Single library or folder at a time |
| Time required | 10–15 minutes for setup and export | Hours for a site with many libraries |
| External share identification | Automatic via UserKey column filter | Must inspect sharing settings on each item |
| Historical data | Up to 90 days of past events | Only current permissions visible |
| Permission level needed | Audit Logs or Global Admin role | Site owner or member |
You can now generate a complete list of externally shared files for any SharePoint site using the audit log search in the Microsoft 365 Defender portal. The CSV export and Excel filter steps are essential to remove internal shares and isolate only external activity. For ongoing monitoring, schedule a monthly audit search and save the filtered report in a compliance document library. As an advanced tip, use the Search-UnifiedAuditLog PowerShell cmdlet to automate this report and run it across multiple sites at once.