As a OneDrive for Business administrator, you need to track file access, sharing events, and user actions across your tenant. Microsoft Purview provides a unified audit log that captures all OneDrive activity, but finding the right events among thousands of records can be time-consuming. This article explains how to use the Microsoft Purview compliance portal to search, filter, and export OneDrive activity logs. You will learn the exact steps to locate specific file operations, sharing events, and sync activity without leaving the Purview interface.
Key Takeaways: Auditing OneDrive Actions in Microsoft Purview
- Microsoft Purview compliance portal > Audit > Search: Central location to search all OneDrive file and folder activities across your tenant.
- Filter by Workload = OneDrive: Narrow audit results to only OneDrive events, excluding SharePoint and Exchange records.
- Export audit results to CSV: Download search results for offline analysis, reporting, or long-term retention.
What Microsoft Purview Audit Logs Capture for OneDrive
Microsoft Purview Audit (Standard) and Audit (Premium) record every user action performed on files and folders stored in OneDrive for Business. The audit log captures events such as file viewed, file modified, file deleted, file shared externally, link created, link used, and sync activity. Each event includes the user who performed the action, the exact timestamp, the file path, the IP address of the client device, and the detailed operation name.
Before you can search audit logs, verify that auditing is enabled for your Microsoft 365 tenant. Audit logging is turned on by default for all organizations with an eligible license. You need the Audit Log role in Microsoft Purview or the View-Only Audit Logs role to access the audit search page. Users with Exchange Online, SharePoint Online, or OneDrive for Business licenses can be audited. Audit records are retained for 90 days for Audit (Standard) and up to one year for Audit (Premium).
Required Licenses and Permissions
To review OneDrive activity in Microsoft Purview, you must have one of the following Microsoft 365 subscriptions: E3, E5, A3, A5, G3, G5, or Business Premium. The Audit (Premium) features require an E5 or A5 license. You also need the Audit Log role assigned in the Microsoft Purview compliance portal. Global Administrators have this role by default.
Steps to Search OneDrive Activity in Microsoft Purview
These steps show you how to run a targeted audit search for OneDrive events. The process takes about five minutes.
- Open the Microsoft Purview compliance portal
Sign in to https://compliance.microsoft.com with your admin credentials. In the left navigation, select Audit under the Solutions section. The Audit search page opens. - Set the date range
In the Search tab, click the Date and time range field. Select a start and end date. Audit records are available for up to 90 days for Audit (Standard) or up to one year for Audit (Premium). For a quick test, set the range to the last 24 hours. - Filter by workload
Click Workload and select OneDrive from the dropdown. This excludes SharePoint, Exchange, Azure AD, and other workloads. You can also leave the default Show results for all workloads if you want a broader view. - Add specific activity filters
Click Activities to narrow the search. Type a keyword such as FileModified, FileDeleted, Sharing, or Sync. Select one or more activities from the list. For example, choose File modified to see all edits made to files in OneDrive. - Enter a user or file path
In the Users field, type the email address of the user whose activity you want to review. Leave it blank to see activities for all users. In the File, folder, or site field, you can enter a partial file name or OneDrive URL to filter results to a specific location. - Run the search
Click Search at the bottom of the page. Purview displays a list of matching audit records. Each row shows the date, user, activity, item, and workload. Click any row to view the full event details in the details pane. - Export the results
To download the search results as a CSV file, click Export at the top of the results page. Choose Export all results or Export displayed results. The CSV file includes all columns visible in the search results plus additional fields such as ClientIPAddress, CreationTime, Operation, and ObjectId.
Common Mistakes When Reviewing OneDrive Activity
Even with the correct permissions, administrators often miss relevant events or produce incomplete reports. Here are the most frequent mistakes and how to avoid them.
Searching Without a Workload Filter
If you do not select OneDrive as the workload, the audit search returns records from SharePoint, Exchange, and Teams. OneDrive events are mixed with other data, making it harder to isolate file-level actions. Always apply the Workload filter to OneDrive when you need only OneDrive activity.
Using Incorrect Activity Names
The Activities dropdown uses internal operation names such as FileModified, FileDeleted, and SharingInvitationCreated. Typing a generic term like edit or share returns no matches. Use the search box inside the Activities field to find the exact operation name. Alternatively, leave the Activities field blank to see all OneDrive events.
Not Specifying a User or File Path
A search with no user and no file path returns every OneDrive event in the date range. For a tenant with many users, this can produce thousands of records. To reduce noise, always enter at least one user email or a partial file name. You can combine both filters for the most precise results.
Exporting Only Displayed Results
The audit search page shows up to 5000 records per page. If you click Export displayed results, you download only the current page. For a complete export, choose Export all results. This option downloads all matching records up to the retention limit.
Audit (Standard) vs Audit (Premium): Key Differences for OneDrive Activity
| Item | Audit (Standard) | Audit (Premium) |
|---|---|---|
| Retention period | 90 days | 1 year (up to 10 years with add-on) |
| Event types | Core CRUD operations (view, edit, delete, share) | All Standard events plus content search, sync activity, and sharing link usage |
| Bandwidth per record | Basic event details (user, time, operation, file ID) | Full event details including client device, browser, and file version |
| Export format | CSV with standard columns | CSV with extended columns (ClientIPAddress, ClientDevice, etc.) |
After you complete your audit search, you can download the CSV file and open it in Excel for further analysis. Use filters in Excel to group events by user, date, or operation type. For example, you can create a pivot table to show how many files each user modified in the last 30 days.
To automate recurring audits, save your search query in Purview by clicking the Save button on the Audit search page. You can then run the saved search on demand or schedule it via the Microsoft 365 admin center. This saves time when you need to review OneDrive activity weekly or monthly.
One advanced tip is to use the Audit Log Search Graph API to programmatically retrieve OneDrive audit records. This allows you to integrate audit data into your own reporting dashboards or SIEM tools without manually exporting CSVs each time.