When you run an audit search in the Microsoft 365 Purview compliance portal, you expect to see all user activities including file preview events from OneDrive. However, many administrators find that preview events such as FilePreviewed or Preview are missing from the audit log results. This happens because Microsoft does not log file preview activities to the unified audit log by default. This article explains why preview events are absent, how to confirm your audit configuration, and what alternative methods you can use to track preview behavior.
Key Takeaways: OneDrive Audit Search and File Preview Events
- Microsoft 365 Purview compliance portal > Audit > Audit log search: File preview events like FilePreviewed are not recorded in the unified audit log for OneDrive files.
- Microsoft 365 admin center > Settings > Org settings > Security & Privacy > Audit log: Audit logging must be enabled for any user activity to be captured, but preview events remain excluded regardless of this setting.
- Microsoft Graph API > auditLog.query: You can use the Graph API to query SharePoint Online audit logs, but preview events are still not included in the response.
Why OneDrive Audit Search Does Not Show File Preview Events
The unified audit log in Microsoft 365 captures a wide range of user and admin activities across Exchange Online, SharePoint Online, OneDrive, Azure Active Directory, and other services. However, Microsoft intentionally excludes certain low-value or high-volume events from the audit log to reduce noise and storage costs. File preview events fall into this category. When a user opens a file in the OneDrive web app or the OneDrive sync client without downloading or editing it, the system does not generate a preview event that appears in the audit log. The technical root cause is that the audit schema for OneDrive and SharePoint Online does not include a FilePreviewed operation. The only way to see preview activity is through client-side telemetry or third-party monitoring tools that capture network requests.
What the Audit Log Actually Records for OneDrive Files
The unified audit log records the following OneDrive events: FileUploaded, FileDownloaded, FileDeleted, FileModified, FileRenamed, FileMoved, FileCopied, FileCheckedIn, FileCheckedOut, FileVersionRestored, and Sharing events such as SharingInvitationCreated and SharingLinkCreated. None of these events indicate that a user merely previewed a file without taking an action. If you search for “Preview” in the Activities list of the audit log search tool, you will see options for Exchange Online mailbox previews and SharePoint Online page previews, but not for OneDrive file previews.
Steps to Verify Audit Log Configuration for OneDrive
Before concluding that preview events are missing, confirm that audit logging is enabled and that your search parameters are correct. Follow these steps.
- Enable audit logging in the Microsoft 365 admin center
Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Settings > Org settings > Security & Privacy. Under Audit log, ensure the toggle for Turn on auditing in Microsoft 365 is set to On. This setting must be enabled for any audit events to be captured. - Run an audit log search for known OneDrive events
In the Microsoft 365 Purview compliance portal at compliance.microsoft.com, go to Audit > Audit log search. Set the date range to the last 7 days. In the Activities field, select File and page activities and then choose File downloaded. Enter a user name and a OneDrive site URL in the search fields. Click Search. If results appear, audit logging works for OneDrive. If no results appear, audit logging may be disabled or the user has not performed any logged activities. - Search specifically for preview-related activities
In the same audit log search tool, in the Activities field, type the word “preview” to see available preview activity options. The list will show Previewed item in Exchange mailbox, Previewed page (for SharePoint modern pages), and Previewed document (for SharePoint Online document previews in the browser). There is no option for OneDrive file preview. Select Previewed document and run the search. Any results will be from SharePoint Online, not from OneDrive for Business. - Check the audit log for a specific OneDrive file using PowerShell
Open the Exchange Online PowerShell module. Connect withConnect-ExchangeOnline. Run the following command to search for all file activities for a specific user in the last 24 hours:Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -Operations FileDownloaded,FileUploaded -UserIds user@domain.com. Review the output. No preview events will appear because they are not logged.
If You Need to Track File Preview Activity
Since the unified audit log does not capture OneDrive file preview events, you must use alternative methods to track this activity. The following approaches provide varying levels of detail.
Use Microsoft 365 Usage Analytics and Reports
The Microsoft 365 admin center provides usage reports that show file preview counts at an aggregate level. Go to Reports > Usage > OneDrive > Files. The report shows the number of files viewed or edited, but it does not distinguish between previews and full opens. This data is based on client telemetry, not audit logs.
Enable SharePoint Online Page Preview Events (Not File Preview)
If you need to track previews of SharePoint Online modern pages, you can enable page preview auditing in the SharePoint admin center. Go to SharePoint admin center > Policies > Access control > Page preview. This setting logs when users preview a SharePoint modern page, not a OneDrive file. It does not help with OneDrive file preview tracking.
Use a Third-Party Monitoring Tool
Third-party security and compliance tools such as Varonis, Proofpoint, or Microsoft Sentinel with custom data connectors can capture file preview events by monitoring network traffic or client-side telemetry. These tools can parse the HTTP requests that occur when a user previews a file in the browser. This is the only reliable method to get per-user, per-file preview audit data for OneDrive.
Consider File Access Logs via Microsoft Graph API
The Microsoft Graph API for SharePoint Online provides access to file access logs through the sites/{site-id}/lists/{list-id}/items/{item-id}/activities endpoint. This endpoint returns activities such as view, edit, delete, and move. The view activity includes both previews and full opens in the browser. However, this API only covers SharePoint Online sites, not OneDrive personal sites. For OneDrive, you must use the /users/{user-id}/drive/items/{item-id}/activities endpoint, which also returns view activities. Test this endpoint with a user who has recently previewed a file. The response may include a view activity, but Microsoft does not guarantee that all previews are captured, and the API has throttling limits.
OneDrive Audit Events vs SharePoint Audit Events: What Is Logged
| Item | OneDrive for Business | SharePoint Online |
|---|---|---|
| File upload | Logged as FileUploaded | Logged as FileUploaded |
| File download | Logged as FileDownloaded | Logged as FileDownloaded |
| File preview in browser | Not logged | Not logged for documents; logged for modern pages as PreviewedPage |
| File edit | Logged as FileModified | Logged as FileModified |
| File delete | Logged as FileDeleted | Logged as FileDeleted |
| File share | Logged as SharingInvitationCreated or SharingLinkCreated | Logged as SharingInvitationCreated or SharingLinkCreated |
| File sync | Not logged in unified audit log | Not logged in unified audit log |
You can now confirm that OneDrive audit search does not show file preview events because Microsoft excludes them from the unified audit log. To track preview activity, use the Microsoft Graph API view activity endpoint for OneDrive items or deploy a third-party monitoring tool. An advanced tip: configure Microsoft Sentinel with the Office 365 connector and create a custom analytics rule that parses the view activity from the Graph API to generate alerts when sensitive files are previewed.