VeeamON 2021: Free Online Conference - Register Now VeeamON 2021: Free Online Conference - Register Now

Tracking Anonymous Access to SharePoint and OneDrive Documents

Understanding Office 365 Sharing

Over the last few months, I’ve looked at various aspects of how guest users gain access to resources within Office 365 tenants and the information tenant administrators can use to track that access. We’ve considered the mechanics of SharePoint Online sharing, how to report Office 365 Groups and Teams with guests in their membership, and how to use the Office 365 audit log to discover the documents accessed by guests. In my last article in this area, I reviewed how to find out who creates guest accounts, including when a guest account is created because someone shares a document in a SharePoint Online or OneDrive for Business site.

Sharing via Cloudy Attachments

Hopefully the articles have helped throw some light into how to manage guest access to resources. To complete the picture, I want to look at the links created by Outlook when users add a “cloudy attachment” to email. These attachments are links to SharePoint Online or OneDrive for Business documents, with the idea being that it is better for recipients to access the document in situ instead of a private copy.

Cloudy attachments work very well. However, the link sent to recipients allows anonymous access to the document. In other words, anyone with the link can access the document. This isn’t a huge deal even if the message is forwarded because it replicates how regular attachments work. This situation is due to change when Outlook adopts the standard sharing link control for Office 365, but it’s what happens today.

Tenant administrators can track access to other shared documents. What I wanted to find out is how to discover the documents being shared via email and the actions taken against those documents.

Finding Anonymous Access Audit Events

Once again, the combination of Office 365 audit log and PowerShell gave the answer. The solution came in two parts: first, find out when anonymous links are used. Next, find out what happens to the document afterwards. For instance, did the recipient modify or download the document.

The first part is solved by searching the audit log for AnonymousLinkUsed operations. Office 365 captures these records when a recipient opens a document using an anonymous link, whether the link was sent as a cloudy attachment or when someone generates an “Anyone with the link can view” or “Anyone with the link can edit” share from SharePoint Online or OneDrive for Business.

Because we’re dealing with anonymous access, details of the user who uses the link are not logged, but their IP address is. We can therefore use that IP address to track subsequent actions by searching the audit log again for operations like FileDownloaded that took place within seven days of the link being used. Seven days is an arbitrary period chosen by me on the basis that if something doesn’t happen within that time, it’s probably not interesting.

Finding Actions by IP Address

After finding the second set of records, we filter them to look for records associated with anonymous access based on the SharePoint identifier assigned to the anonymous access. This is a value like urn:spo:anon#f93ba91b9fcff445a167b15625c3fd3fbfd98fc46e669ea1f676f1e366e77794 generated by SharePoint to identify the anonymous access through the link.

Outputting for Further Analysis

Once we’ve done our filtering, slicing, and dicing, we can output the data in something that makes further analysis easy. My go-to format is to export the data to CSV and use Excel or Power BI, but you can also browse the information in a grid by piping it to the Out-GridView cmdlet (Figure 1).

Figure 1: Anonymous access to SharePoint and OneDrive documents (image credit: Tony Redmond)

The Script

Here’s the PowerShell script to generate the data for analysis. You need to connect to Exchange Online to use the Search-UnifiedAuditLog cmdlet.

As usual, I don’t guarantee the code. All I can say is that it works for me.

Sharing is Caring

It’s great to be able to share so easily in so many ways with so many people outside your Office 365 tenant. It’s even better when you know how that sharing happens.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Tracking Anonymous Access to SharePoint and OneDrive Documents”

  1. Avatar

    [email protected]

    Hi, my officeprotect already sent me an alert in the urn:spo:anon format, from there do I need the script ? not so used to go there !

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.

Free Online Conference - May 25th and 26th

VeeamON 2021: Free Online Conference

Join us to gain your professional edge with technical and visionary learning from the brightest minds in IT at the definitive conference for Modern Data Protection.

Register Now

Sponsored By