When you share OneDrive files with people outside your company, those files may no longer be protected by your organization’s security policies. A single external sharing link can expose sensitive data to unauthorized users. This article explains how to use Microsoft 365 auditing and the SharePoint admin center to identify all OneDrive files shared with external users. You will learn how to run a detailed audit report and how to review sharing links for individual files.
Key Takeaways: Finding Externally Shared OneDrive Files
- Microsoft 365 Purview compliance portal > Audit: Search for the “Sharing invitation” and “Anonymous link created” activities to find external shares.
- SharePoint admin center > Active sites > OneDrive site > Sharing: View external sharing links, expiration dates, and the specific people or groups with access.
- OneDrive web app > Info pane > Manage access: Check each file individually for external users and remove them if necessary.
What Counts as Sharing Outside the Organization
External sharing in OneDrive means granting access to someone who does not have a user account in your Microsoft 365 tenant. This includes guests added via Azure AD B2B collaboration and anyone who receives an anonymous link that does not require sign-in. The Microsoft platform logs every external sharing event in the unified audit log. However, finding those logs requires knowing which activities to search for.
There are two main types of external sharing events:
1. Sharing Invitations
When a user sends an invitation to an external email address, the audit log records a “Sharing invitation” event. This event includes the email address of the recipient, the file or folder shared, and the permissions granted.
2. Anonymous Links
When a user creates a link that can be shared with anyone, the audit log records an “Anonymous link created” event. This event does not include the recipient because the link can be forwarded to any number of people. The audit log captures the file path, the link expiration (if any), and the permissions.
Before you start the search, ensure that audit logging is enabled in your tenant. Go to the Microsoft 365 admin center, open the Security & Compliance center, and check that audit log search is turned on. If it is off, enable it. It can take up to 24 hours for audit records to appear after you enable logging.
Steps to Find OneDrive Files Shared Outside the Organization
Use the following steps to locate files shared with external users across all OneDrive accounts in your tenant. You need at least the Audit Logs reader role or the View-Only Audit Logs role to perform these steps.
- Open the Microsoft 365 Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the Audit Logs reader role or the Security Administrator role. - Navigate to the Audit search page
In the left navigation pane, select Audit. If you do not see Audit, expand the Solutions section and then select Audit. - Configure the date range
Set the Start date and End date to cover the period you want to investigate. For a full scan, set the start date to 90 days ago. Microsoft 365 retains audit logs for up to 90 days by default. - Add the sharing activity filter
Under Activities, type or select Sharing invitation and Anonymous link created. You can also search for Shared file and Shared folder to capture additional sharing methods. - Search for SharePoint activities
Since OneDrive for Business uses SharePoint as its storage backend, all OneDrive sharing events appear under the SharePoint workload. In the Workloads dropdown, select SharePoint. This ensures you see only OneDrive and SharePoint events. - Run the search
Click Search. The audit log search returns a list of events. Each event shows the date, the user who performed the action, the activity type, and the item name. - Review the results
Click any event to open the details pane. In the details pane, look for the Item field. This field contains the full URL path to the shared file. The path includes the OneDrive site URL, for examplehttps://yourtenant-my.sharepoint.com/personal/user_domain_com/Documents/File.xlsx. - Export the results for analysis
Click Export at the top of the audit log page. Choose CSV format. Open the CSV file in Excel. Filter the Activity column to show only Sharing invitation and Anonymous link created. The CSV export includes the file URL, the sharing user, and the target email for invitations.
Reviewing Sharing Links for Individual OneDrive Files
After you identify a file that may be shared externally, you can verify its current sharing status directly in OneDrive. This method does not require admin access and works for any user who has at least read access to the file.
- Open the file in the OneDrive web app
Go to https://onedrive.live.com and sign in. Navigate to the file you want to check. - Open the Info pane
Select the file by clicking it, then click the Info icon in the top toolbar. The icon looks like a lowercase “i” inside a circle. - Select Manage access
In the Info pane, scroll down to the People section. Click Manage access. A panel opens showing all users and links that have access to this file. - Check for external users
External users appear with a guest icon next to their name. If you see an entry that says Anyone with the link, that is an anonymous link that can be shared outside the organization. - Remove external access if needed
To remove an external user, click the user’s name and then click Remove direct access. To delete an anonymous link, click the link entry and then click Remove link.
What to Do After You Find Externally Shared Files
OneDrive Files That Should Not Be Shared Externally
If a file contains sensitive information, remove the external sharing link or invitation immediately. Then change the file’s permissions to restrict sharing. Use the OneDrive web app to set the default sharing link type to People in your organization for that specific file.
Audit Log Shows Sharing But the File Is No Longer Shared
The audit log captures historical events. If a user created an anonymous link two months ago and later deleted it, the audit log still shows the creation event. To verify current sharing status, you must use the Manage access panel as described above.
Too Many Results to Review Manually
If your tenant has thousands of external sharing events, use the CSV export and filter by file extension or user. You can also use PowerShell with the Search-UnifiedAuditLog cmdlet to automate the search and generate a report. To use PowerShell, install the Exchange Online Management module and connect to Exchange Online.
Audit Log Search vs Manage Access: Key Differences
| Item | Audit Log Search | Manage Access Panel |
|---|---|---|
| Purpose | Find historical sharing events across all users | View current sharing status for one file |
| Scope | All OneDrive and SharePoint sites | Single file or folder |
| Data retention | Up to 90 days by default | Real-time, no history |
| Required permissions | Audit Logs reader, Security Admin, or Global Admin | Read access to the file |
| Output | CSV or on-screen list of events | Interactive panel with user names and link types |
| Can remove access | No | Yes |
Use the audit log search to discover files that were shared externally. Then use the Manage access panel for each file to verify and remove unwanted external access.
You can now identify every OneDrive file that was shared with people outside your organization by running an audit log search for Sharing invitation and Anonymous link created events. After you find the files, use the Manage access panel to review current permissions and revoke any unwanted external access. For ongoing monitoring, schedule a monthly audit log export and review the CSV in Excel. If you manage a large tenant, consider creating a PowerShell script that searches the audit log and emails you a summary of all new external sharing events.