You need to locate all files shared with people outside your organization before a compliance review. Microsoft 365 does not show every externally shared file in one simple list by default. This article explains the best settings to find externally shared files across SharePoint, OneDrive, and Microsoft Teams. You will learn how to configure auditing, use Microsoft Purview, and run reports to get a complete view of external sharing.
Key Takeaways: Find Externally Shared Files Before a Review
- Microsoft Purview > Audit (Premium): Enable audit logging to capture every sharing event and link creation across SharePoint and OneDrive.
- Microsoft Purview > Content Search: Use a KQL query to find files with external sharing links or guest access in all sites.
- SharePoint admin center > Reports > Sharing: Generate a CSV report of external sharing activity per site for offline analysis.
How External Sharing Works in Microsoft 365 and Why It Is Hard to Track
External sharing in Microsoft 365 occurs when a user sends a sharing link to someone outside the organization, invites a guest to a site, or shares a file directly. SharePoint, OneDrive, and Teams each handle sharing differently, and the activity is not centralized in one dashboard by default. Without proper configuration, you may miss files shared via anonymous links, guest invites, or direct file sharing in Teams channels.
Sharing Link Types and Their Audit Signatures
Microsoft 365 supports three main sharing link types. Anonymous links allow anyone with the link to access the file without signing in. Company-wide links grant access to all internal users but can be forwarded externally. Specific people links require the recipient to authenticate. Each link type generates a different audit event. Anonymous links create a AnonymousLinkCreated event. Specific people links create a SharingInvitationBlocked or SharingInvitationCreated event. You must configure audit logging to capture these events.
Where External Sharing Happens
External sharing can occur in three primary locations. SharePoint sites allow site-level guest access and document-level sharing links. OneDrive for Business supports file and folder sharing links that can be set to anonymous or specific people. Microsoft Teams stores files in the underlying SharePoint site for each channel, and sharing a file from a Teams chat or channel creates a SharePoint sharing link. A comprehensive review must cover all three locations.
Best Settings to Find All Externally Shared Files
To find every externally shared file before a review, you need to configure three settings in order. First, enable Purview Audit (Premium) to capture all sharing events. Second, run a Content Search in Purview to locate files with external sharing links. Third, use the SharePoint admin center to generate a sharing activity report. Follow each method below.
Method 1: Enable Audit Logging for External Sharing Events
- Open Microsoft Purview
Sign in to the Microsoft Purview compliance portal at https://compliance.microsoft.com with an account that has the Audit Log role or Compliance Administrator role. - Turn on Audit in the Solutions section
Go to Solutions > Audit. If auditing is not enabled, click Start recording user and admin activity. Wait up to 24 hours for audit logs to begin populating. - Verify the Audit (Premium) license
Ensure your tenant has the required license for Audit (Premium). This feature is included with Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on. Without this license, you cannot search for all sharing events. - Search for sharing events
In the Audit search page, select Activities and check the following activities: Created an anonymous link, Created a sharing invitation, Added a guest to a site, and Shared file, folder, or site. Set a date range that covers the review period. Click Search. - Export the results
After the search completes, click Export to download a CSV file. Open it in Excel and filter the Item column to see the exact file names and URLs shared externally.
Method 2: Use Content Search to Find Files with External Sharing Links
- Open Content Search in Purview
In the Microsoft Purview compliance portal, go to Solutions > Content search. Click New search. - Build a KQL query for external sharing
In the Keywords field, enter the following query:ExternalAccess:true AND SharingLinkType:AnonymousLink OR SharingLinkType:CompanyLink OR SharingLinkType:PeopleLink. This query finds files that have an active external sharing link of any type. - Set the locations to search
Under Locations, select All SharePoint sites and All OneDrive accounts. Do not include Exchange mailboxes unless you also want to find shared email attachments. - Run the search and review results
Click Search. After the search completes, click the search name and then click Preview results. You will see a list of files that match the query. Each file shows its URL, site, and last modified date. - Export the file manifest
Click Export and choose Export results. Download the CSV file. This file contains the full path of every externally shared file.
Method 3: Generate a Sharing Activity Report from SharePoint Admin Center
- Open the SharePoint admin center
Sign in to https://admin.microsoft.com and go to Admin centers > SharePoint. Alternatively, go directly to https://admin.microsoft.com/SharePoint. - Navigate to Reports
In the left navigation, select Reports > Sharing. This page shows a summary of external sharing activity across all SharePoint sites and OneDrive accounts. - Filter by time period
Use the date range filter at the top to select the period you need to review. The default shows the last 7 days. You can choose a custom range up to 90 days. - Export the report to CSV
Click Export. The CSV file includes columns for Site URL, File Path, Sharing Type, and Shared With. Open the CSV in Excel and sort by the Sharing Type column to isolate anonymous links and guest invites.
If the Audit Log Shows No External Sharing Events
If your audit search returns zero results but you know external sharing occurs, check these common problems.
Audit logging is not enabled or license is missing
Without Audit (Premium), the audit log only records basic events like site creation. External sharing events are not captured. Verify that your tenant has Microsoft 365 E5 or the Compliance add-on. If not, upgrade or use Method 2 (Content Search) instead.
Sharing links were created before audit was turned on
Audit logging only captures events after it is enabled. Any sharing links created before that date will not appear in the audit log. Use Content Search (Method 2) to find files with existing external sharing links regardless of when they were created.
Guest access is via Microsoft 365 Groups, not SharePoint
When a guest is added to a Microsoft 365 Group, they get access to the associated SharePoint site. This event is logged as a group membership change, not a file sharing event. To find these guests, go to Microsoft 365 admin center > Groups > Active groups, select the group, and check the Members tab for external users.
Audit Log Search vs Content Search vs Sharing Report: Which to Use
| Item | Audit Log Search | Content Search | Sharing Report |
|---|---|---|---|
| What it finds | Events of sharing actions | Files with active external links | Summary of sharing activity per site |
| Requires license | Audit (Premium) or E5 | E3 or higher | E3 or higher |
| Shows file names | Yes, in exported CSV | Yes, in preview and CSV | Yes, in CSV |
| Covers historical links | Only after audit enabled | All active links | Only links created in date range |
| Best for | Compliance audits needing timestamps | Full inventory of current external access | Quick overview of sharing volume |
You now have three methods to locate externally shared files before a review. Start by enabling Purview Audit (Premium) to capture future sharing events. Then run a Content Search to find all current external sharing links. Finally, generate the SharePoint sharing report for a site-level summary. Use the audit log export as your primary evidence for compliance reviews. For a complete inventory, run the Content Search weekly and archive the CSV files.