When a user accesses a OneDrive folder that belongs to a Microsoft 365 Group, the permission chain can become difficult to follow. The group itself is the owner of the storage, and individual members inherit access through their group membership. This article explains how to identify which Microsoft 365 Group owns a specific OneDrive site and how to trace exactly how a user gained access through that group.
You will learn to use the Microsoft 365 admin center and SharePoint admin center to find the group behind a OneDrive URL. The steps include checking group membership, reviewing site permissions, and using audit logs to confirm access paths. By the end, you will be able to determine whether a user’s access comes from direct sharing, a group membership, or a nested security group.
Key Takeaways: Tracing OneDrive Access via Microsoft 365 Groups
- Microsoft 365 admin center > Groups > Active groups: Find the group that owns a specific OneDrive site by matching the site URL to the group’s SharePoint site.
- SharePoint admin center > Active sites > Group-connected site settings: View the Microsoft 365 Group that is connected to a site and manage its permissions.
- Microsoft 365 admin center > Audit log > Search: Use the audit log to see when a user accessed a OneDrive file and which group membership granted the permission.
Understanding OneDrive Storage for Microsoft 365 Groups
Every Microsoft 365 Group, including Teams, Outlook groups, and SharePoint team sites, has a dedicated SharePoint site. That site includes a default document library that appears as a OneDrive location for the group. When users access this library through Teams, SharePoint, or the OneDrive sync client, they are actually accessing a group-owned SharePoint site.
The group itself is a security principal in Azure Active Directory. Membership in the group can be direct, inherited from another group, or dynamic based on user attributes. When you share a OneDrive folder with a Microsoft 365 Group, all current and future members of that group gain access. This indirect permission model makes tracing access more complex than direct user sharing.
To trace access, you need to identify three pieces of information: the group that owns the OneDrive site, the user’s membership in that group, and the specific permission level they have on the files. The following sections explain how to find each piece using the admin portals.
Finding the Microsoft 365 Group Behind a OneDrive Site
The first step is to determine which Microsoft 365 Group owns the OneDrive site you are investigating. Every group-connected SharePoint site has a URL that includes the group’s name or a unique identifier. You can locate this information in the SharePoint admin center.
- Open the SharePoint admin center
Sign in to the Microsoft 365 admin center at admin.microsoft.com. In the left navigation, expand Admin centers and select SharePoint. This opens the SharePoint admin center. - Navigate to Active sites
In the SharePoint admin center, select Active sites from the left menu. This shows a list of all SharePoint sites in your tenant, including group-connected sites. - Find the site by URL
In the search box at the top of the site list, paste or type part of the OneDrive URL you are investigating. For example, if the OneDrive URL ishttps://contoso.sharepoint.com/sites/MarketingTeam, search for MarketingTeam. The site appears in the results. - Check the Group column
In the site list, locate the Group column. If the site is connected to a Microsoft 365 Group, this column shows the group’s name. Click the group name to open the group details in the Microsoft 365 admin center.
If the Group column is not visible, click Columns at the top of the list and select Group to add it. Once you have the group name, you can proceed to check the user’s membership.
Checking User Membership in the Microsoft 365 Group
After identifying the group, verify whether the user is a member. Group membership determines whether the user has inherited access to the OneDrive site.
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and select Groups from the left navigation, then choose Active groups. - Search for the group
In the search box, type the group name you found in the previous section. Click the group name to open its details pane. - View members
In the group details pane, select the Members tab. This shows a list of all direct members and owners. If the user appears here, they have direct membership. - Check for nested groups
If the user is not in the direct member list, they may belong to a nested group. Click View all and manage members to see the full member list. Look for other groups listed as members. You may need to check each nested group’s membership to find the user.
Dynamic groups do not show individual members in the admin center. For dynamic groups, use Azure Active Directory to review the membership query and confirm whether the user meets the criteria.
Using Audit Logs to Confirm Access Events
Audit logs provide a record of when a user accessed a OneDrive file and the permission context at that time. This is the most reliable way to trace the access path.
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and select Compliance from the left navigation. This opens the Microsoft Purview compliance portal. - Navigate to Audit
In the compliance portal, select Audit under the Solutions section. If you are prompted to enable audit logging, do so. - Search for file access events
Under the Search tab, set the date range to cover the suspected access time. In the Activities field, select File and page activities and choose Accessed file. In the User field, enter the user’s email address. Click Search. - Review the audit results
The search results show each file access event. Click an event to open the details pane. Look for the Membership or Permission field. This field indicates whether the access was granted through a direct share, a link, or a group membership. If it says Group, the access came from the Microsoft 365 Group.
Audit log retention depends on your licensing. E5 subscribers have 365 days of retention. E3 subscribers have 90 days. For older events, you may need to use the unified audit log export or a third-party tool.
Common Issues When Tracing OneDrive Access
The user is not listed as a direct member but still has access
This typically happens when the user belongs to a nested security group that is itself a member of the Microsoft 365 Group. Check the group’s member list for other groups. You can also use Azure AD to expand group membership. In the Azure AD admin center, navigate to Groups, select the group, and use Members to see all nested members.
The audit log shows access but no group name
Some audit events do not capture the specific group that granted access. In this case, use the SharePoint site permissions report. In the SharePoint admin center, open the site and select Settings > Site permissions. Review the permission levels for each group. The permission inheritance chain is visible in the Permission levels column.
The OneDrive URL does not match any active site
This can occur if the site was deleted or if the URL is from a personal OneDrive library. Personal OneDrive sites are not owned by Microsoft 365 Groups. Personal OneDrive URLs contain /personal/ in the path. Group-owned OneDrive URLs contain /sites/. Verify the URL format before proceeding.
Direct User Access vs Group-Based Access: Key Differences
| Item | Direct User Access | Group-Based Access |
|---|---|---|
| Permission source | Explicit sharing with a specific user | Inherited through Microsoft 365 Group membership |
| Management location | OneDrive sharing settings | Microsoft 365 admin center or Azure AD group settings |
| User visibility in audit | Audit log shows the user directly | Audit log may show the group name or membership as the context |
| Revocation method | Remove the user from the share | Remove the user from the group or change group permissions |
| Impact of group change | No impact on other users | All group members lose or gain access simultaneously |
Understanding these differences helps you decide which method to use when granting or revoking access. Group-based access is easier to manage for large teams but requires careful monitoring of membership changes.
Now you can trace OneDrive access through Microsoft 365 Groups by identifying the group owner, checking membership, and using audit logs to confirm access events. Start by verifying the OneDrive site’s group connection in the SharePoint admin center. For ongoing monitoring, set up group membership reports in Azure AD to catch changes that affect file access. Advanced tip: Use the Get-SPOSiteGroup PowerShell command to retrieve all group permissions for a site in bulk, which is faster than checking each user manually in the admin center.