You need to ensure that files shared from OneDrive do not violate your organization’s data classification policies. Microsoft 365 allows IT administrators to apply sensitivity labels and data loss prevention rules to documents stored in OneDrive. When users share files externally or with the wrong audience, classified content can be exposed. This article explains how to review OneDrive sharing activity against your data classification labels using Microsoft Purview tools.
Key Takeaways: Auditing OneDrive Sharing Against Sensitivity Labels
- Microsoft Purview compliance portal > Data classification > Content explorer: View all files with sensitivity labels and their sharing status across OneDrive.
- Microsoft Purview > Data loss prevention > Alerts: Review DLP policy matches triggered by sharing classified files from OneDrive.
- Microsoft Purview > Audit > Search: Query the unified audit log for “FileShared” events combined with sensitivity label IDs.
How Data Classification Works with OneDrive Sharing
Data classification in Microsoft 365 uses sensitivity labels applied to files and emails. These labels define the sensitivity level such as Internal, Confidential, or Highly Confidential. When a user shares a file from OneDrive, the label stays with the file. Microsoft Purview can monitor sharing events and compare them against the label’s policy. For example, a label may block external sharing entirely or require encryption before sharing externally. The check you perform involves two parts: verifying which files have which labels and then examining who those files are shared with. This process uses the Content Explorer, Data Loss Prevention alerts, and the unified audit log. You need at least the Information Protection Administrator role or equivalent permissions to access these tools.
Steps to Check OneDrive Sharing Against Data Classification
Use the following methods to audit sharing activity for files with specific sensitivity labels. Each method covers a different angle: direct file inspection, policy violation alerts, and granular audit records.
Method 1: Use Content Explorer to Find Shared Classified Files
- Open Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your admin account. - Navigate to Data classification > Content explorer
In the left navigation, select Data classification then Content explorer. This tool shows all labeled files across Exchange, SharePoint, and OneDrive. - Filter by location and label
Click Add filter and choose Location. Select OneDrive. Then add another filter for Sensitivity label and pick the label you want to audit, for example Confidential. - Review sharing status
In the results list, each file shows a Shared column. It displays Internal, External, or Not shared. Click a file row to open the details pane. The pane lists specific users or groups with whom the file is shared. Cross-check this list against your label policy requirements. - Export the report for offline review
Click Export at the top of the list to download a CSV file. The CSV includes the file path, label, and sharing status. Use this for periodic compliance audits.
Method 2: Review DLP Alerts for Sharing Violations
- Go to Data loss prevention > Alerts
In the Microsoft Purview portal, expand Data loss prevention and select Alerts. - Filter alerts by workload
Click Filter and choose Workload then OneDrive. This shows all DLP rule matches that occurred in OneDrive. - Open an alert related to sharing
Look for alerts with activity File shared to external user or File shared with domain. Click an alert to see the file name, the sensitivity label detected, and the user who shared it. - Check the policy that triggered
The alert details include the DLP policy name and rule. Verify that the rule matches your intended classification policy. For example, a rule may say “Block sharing of Confidential files with external users.”
Method 3: Search the Unified Audit Log for Sharing Events with Labels
- Open Audit in Purview
In the Microsoft Purview portal, go to Audit under Solutions. - Search for FileShared events
Under Activities, select File and page activities then check File shared. Set a date range of at least the past 30 days. - Add a filter for sensitivity label
Click Add filter and choose Sensitivity label. Enter the label ID or name. To find label IDs, go to Information protection > Labels and copy the GUID from each label’s properties. - Run the search and review results
Click Search. Each result shows the user, the file, the target users or groups, and the sensitivity label applied at the time of sharing. Click a record to view the full AuditData JSON, which includes the SensitivityLabelId field. - Export the audit log
Click Export to download all results as a CSV. Use this for advanced analysis in Excel or Power BI.
Common Issues and Limitations When Checking Sharing Against Classification
Content Explorer shows no files for a specific label
If Content Explorer returns zero results for a label, the label may not be published to users. Verify in Information protection > Labels > Publish labels that the label is assigned to the correct users or groups. Also confirm that users have applied the label to files in OneDrive. Labels applied only in SharePoint will not appear under the OneDrive location filter.
DLP alerts do not appear for sharing events
DLP rules only trigger if the rule includes OneDrive as a location. Open the DLP policy in Data loss prevention > Policies and check that OneDrive is selected under Locations. Also verify that the rule condition mentions sensitivity labels. For example, the condition should say “Content contains sensitivity label Confidential.” If the rule uses only template-based conditions, it may not match labeled files.
Audit log does not show the SensitivityLabelId field
The audit log records the label only if the label was applied at the time of the sharing event. If the label was added after the file was shared, the audit record will not contain a SensitivityLabelId. To capture future events, instruct users to apply labels before sharing. You can also use a retention label auto-apply policy to label files proactively.
Content Explorer vs DLP Alerts vs Audit Log: Key Differences
| Item | Content Explorer | DLP Alerts | Audit Log Search |
|---|---|---|---|
| Primary purpose | View all labeled files and their current sharing status | Detect policy violations in real time | Search historical sharing events with label context |
| Data freshness | Near real-time, updated within a few hours | Real-time when DLP rule triggers | Up to 24-hour delay for audit event ingestion |
| Sharing detail | Shows Internal / External / Not shared plus specific users | Shows external user or domain in alert | Shows target users and groups in AuditData JSON |
| Label visibility | Shows sensitivity label name and ID | Shows label name in alert details | Shows SensitivityLabelId GUID in JSON |
| Export format | CSV | CSV or JSON for individual alerts | CSV |
| Permission required | Information Protection Administrator or Viewer | DLP Compliance Management or Compliance Administrator | Audit Log Viewer or View-Only Audit Log |
You can now use Content Explorer, DLP alerts, and the audit log to verify that OneDrive sharing aligns with your data classification labels. Start by running a Content Explorer report for your highest-sensitivity labels. Then set up a recurring DLP alert review for external sharing events. For deeper investigation, query the audit log with the specific label ID. Remember that labels must be applied before sharing events to appear in audit records. Use auto-labeling policies to ensure consistent label coverage across OneDrive.