When you are preparing for a security review or audit, you may need to check OneDrive for Business storage quotas without changing any settings. Changing a quota during a review can alter the baseline data that auditors expect to see, potentially causing compliance red flags. This article explains why storage quotas must remain unchanged during security reviews and how to verify current quotas without modifying them. You will learn the specific steps to read quota information using the Microsoft 365 admin center, PowerShell, and the SharePoint Online Management Shell.
Key Takeaways: Quota Freezing for Security Audits
- Microsoft 365 admin center > Active users > OneDrive tab: Displays current storage used and quota without allowing edits during a read-only session.
- SharePoint Online Management Shell cmdlet Get-SPOSite -Identity: Returns exact quota values for a user’s OneDrive without modifying any settings.
- Microsoft Graph API endpoint /users/{id}/drive: Provides quota data programmatically for bulk checks without changing configuration.
Why Storage Quotas Must Not Be Updated During Security Reviews
Security reviews and compliance audits rely on a fixed point-in-time snapshot of your environment. If you change a storage quota during the review period, you alter the data that the auditor has already collected or is in the process of verifying. This mismatch can cause the audit to fail because the evidence no longer matches the documented configuration. Additionally, many organizations have governance policies that require all quota changes to go through a change management process. Updating a quota without approval during a review violates that policy. The technical root cause is that OneDrive quotas are stored as properties on the site collection in SharePoint Online. Any modification triggers a change log entry, which an auditor can detect using the audit log in the Microsoft 365 compliance center.
Steps to Verify OneDrive Storage Quotas Without Making Changes
Follow these methods to read current quota information. Do not use any option that allows you to edit the quota value.
Method 1: Using the Microsoft 365 Admin Center (Read-Only)
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with an account that has at least the SharePoint Administrator role. - Navigate to Active users
In the left navigation, select Users and then Active users. - Select a user
Click the user whose OneDrive quota you need to verify. A detail panel opens on the right side. - Open the OneDrive tab
In the detail panel, select the OneDrive tab. The Storage used and Storage limit fields display the current values. Do not click any edit link or button in this panel.
Method 2: Using SharePoint Online Management Shell (Read-Only)
- Install the SharePoint Online Management Shell
If not already installed, open Windows PowerShell as an administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.comand sign in with a SharePoint Administrator account. - Get the OneDrive site URL for the user
RunGet-SPOSite -IncludePersonalSite $true -Limit all | Where-Object {$_.Owner -eq "user@yourtenant.com"} | Select-Object Url. Replace the email address with the target user. - Read the quota without modifying it
RunGet-SPOSite -Identity "https://yourtenant-my.sharepoint.com/personal/user_domain_com" | Select-Object StorageQuota, StorageUsageCurrent. TheStorageQuotavalue is in megabytes. Do not use any cmdlet that starts withSet-SPOSite.
Method 3: Using Microsoft Graph API (Read-Only)
- Get an access token
Use a tool like Microsoft Graph Explorer or a custom application to obtain a token with theFiles.Read.Allpermission. - Call the drive endpoint
Send a GET request tohttps://graph.microsoft.com/v1.0/users/{user-id}/drive. Replace{user-id}with the user’s object ID or user principal name. - Parse the quota object
The response includes aquotaobject withtotalandusedvalues in bytes. This endpoint is read-only and does not change any settings.
Common Mistakes That Change Quotas During Reviews
Accidentally clicking Edit in the admin center
The admin center’s OneDrive tab includes an Edit button next to the storage limit field. Clicking this button and then saving, even with the same value, creates an audit log entry. To avoid this, do not click the Edit button. If you need to document the quota, copy the displayed values manually or take a screenshot.
Using Set-SPOSite to read quota
Some administrators mistakenly run Set-SPOSite -Identity thinking it only shows the value. The Set-SPOSite cmdlet always writes changes. Always use Get-SPOSite for read-only operations.
Running bulk PowerShell scripts that include Set cmdlets
A script that collects quota data but also includes a Set-SPOSite command as part of a previous template can accidentally update quotas. Always review your script to remove any write cmdlets before running it during a security review.
Read-Only vs Read-Write Quota Access Methods
| Item | Read-Only Methods | Read-Write Methods |
|---|---|---|
| Admin center OneDrive tab | View fields only, do not click Edit | Click Edit and Save changes |
| SharePoint Online Management Shell | Get-SPOSite with Select-Object | Set-SPOSite with -StorageQuota |
| Microsoft Graph API | GET /users/{id}/drive | PATCH /users/{id}/drive (requires write permission) |
| Microsoft 365 compliance audit log | Search for Set-SPOSite events | N/A (log is read-only) |
During a security review, use only the read-only methods listed in the table. If you need to change a quota after the review, submit a change request through your organization’s standard process and wait for approval before making the update.