{
	"id": "491b70e1-a1f7-41f9-af23-506f5da88753",
	"created_at": "2026-04-06T00:07:06.8948Z",
	"updated_at": "2026-04-10T13:11:34.28615Z",
	"deleted_at": null,
	"sha1_hash": "9af278b5ec422a8008f2e1309ad26f58940a2902",
	"title": "Use sharing auditing in the audit log",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65711,
	"plain_text": "Use sharing auditing in the audit log\r\nBy robmazz\r\nArchived: 2026-04-02 11:52:16 UTC\r\nSharing is a key activity in SharePoint Online and OneDrive for Business, and organizations widely use it.\r\nAdministrators can use sharing auditing in the audit log to determine how sharing is used in their organization.\r\nSharing events (not including events related to sharing policy and sharing links) differ from file- and folder-related\r\nevents in one primary way: one user performs an action that affects another user. For example, when a resource\r\nUser A gives User B access to a file. In this example, User A is the acting user and User B is the target user. In the\r\nSharePoint File schema, the acting user's action only affects the file itself. When User A opens a file, the only\r\ninformation needed in the FileAccessed event is the acting user. To address this difference, there's a separate\r\nschema, called the SharePoint Sharing schema that captures more information about sharing events. This schema\r\nensures that administrators have visibility into who shared a resource and the user the resource was shared with.\r\nThe Sharing schema provides two additional fields in an audit record related to sharing events:\r\nTargetUserOrGroupType: Identifies whether the target user or group is a Member, Guest,\r\nSharePointGroup, SecurityGroup, or Partner.\r\nTargetUserOrGroupName: Stores the UPN or name of the target user or group that a resource was shared\r\nwith (User B in the previous example).\r\nThese two fields, in addition to other properties from the audit log schema such as User, Operation, and Date tell\r\nthe full story about which user shared what resource with whom and when.\r\nAnother schema property is important to the sharing story. When you export audit log search results, the\r\nAuditData column in the exported CSV file stores information about sharing events. For example, when a user\r\nshares a site with another user, this action adds the target user to a SharePoint group. The AuditData column\r\ncaptures this information to provide context for administrators. See Step 2 for instructions on how to parse the\r\ninformation in the AuditData column.\r\nSharing occurs when a user (the acting user) shares a resource with another user (the target user). Audit records\r\nrelated to sharing a resource with an external user (a user who is outside of your organization and doesn't have a\r\nguest account in your organization's Microsoft Entra ID) are identified by the following events, which the audit\r\nlog records:\r\nSharingInvitationCreated: A user in your organization tries to share a resource (likely a site) with an\r\nexternal user. This event results in an external sharing invitation sent to the target user. The invitation\r\ngrants no access to the resource at this point.\r\nhttps://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events\r\nPage 1 of 4\n\nSharingInvitationAccepted: The external user accepts the sharing invitation sent by the acting user and\r\nnow has access to the resource.\r\nAnonymousLinkCreated: An anonymous link (also called an \"Anyone\" link) is created for a resource.\r\nBecause an anonymous link can be created and then copied, it's reasonable to assume that any document\r\nthat has an anonymous link is shared with a target user.\r\nAnonymousLinkUsed: This event is logged when an anonymous link is used to access a resource.\r\nSecureLinkCreated: A user creates a \"specific people link\" to share a resource with a specific person. This\r\ntarget user might be someone who is external to your organization. The person that the resource is shared\r\nwith is identified in the audit record for the AddedToSecureLink event. The time stamps for these two\r\nevents are nearly identical.\r\nAddedToSecureLink: A user is added to a specific people link. Use the TargetUserOrGroupName field\r\nin this event to identify the user added to the corresponding specific people link. This target user might be\r\nsomeone who is external to your organization.\r\nSharing auditing work flow\r\nWhen a user (the acting user) wants to share a resource with another user (the target user), SharePoint (or\r\nOneDrive for Business) first checks if the email address of the target user is already associated with a user account\r\nin the organization's directory. If the target user is in the directory (and has a corresponding guest user account),\r\nSharePoint takes the following actions:\r\nImmediately assigns the target user permissions to access the resource by adding the target user to the\r\nappropriate SharePoint group, and logs an AddedToGroup event.\r\nSends a sharing notification to the email address of the target user.\r\nLogs a SharingSet event. This event has a friendly name of \"Shared file, folder, or site\" under Sharing\r\nand access request activities in the activities picker of the audit log search tool. See the screenshot in Step\r\n1.\r\nIf a user account for the target user isn't in the directory, SharePoint takes the following actions:\r\nLogs one of the following events, based on how the resource is shared:\r\nAnonymousLinkCreated\r\nSecureLinkCreated\r\nAddedToSecureLink\r\nSharingInvitationCreated (this event is logged only when the shared resource is a site)\r\nWhen the target user accepts the sharing invitation (by clicking the link in the invitation), SharePoint logs a\r\nSharingInvitationAccepted event and assigns the target user permissions to access the resource. If the\r\ntarget user is sent an anonymous link, the AnonymousLinkUsed event is logged after the target user uses\r\nthe link to access the resource. For secure links, a FileAccessed event is logged when an external user uses\r\nthe link to access the resource.\r\nAdditional information about the target user is also logged, such as the identity of the user the invitation is to and\r\nthe user who accepts the invitation. In some cases, these users (or email addresses) can be different.\r\nhttps://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events\r\nPage 2 of 4\n\nA common requirement for administrators is creating a list of all resources that administrators shared with users\r\noutside of the organization. By using sharing auditing in Office 365, administrators can generate this list. Here's\r\nhow.\r\nStep 1: Search for sharing events and export the results to a CSV file\r\nSearch the audit log for sharing events. For more information (including the required permissions) about searching\r\nthe audit log, see Search the audit log.\r\nComplete the following steps to search for sharing events:\r\n1. Sign in to the Microsoft Purview portal.\r\n2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then\r\nselect Audit from the Core section.\r\n3. On the Search page and under Activities - friendly names, select Sharing and access request activities\r\nto search for sharing-related events.\r\n4. Select a date and time range to find the sharing events that occurred within that period.\r\n5. Select Search to run the search.\r\n6. When the search finishes and displays the results, select Export results \u003e Download all results.\r\nAfter you select the export option, a message at the bottom of the window prompts you to open or save the\r\nCSV file.\r\n7. Select Save \u003e Save as and save the CSV file to a folder on your local computer.\r\nStep 2: Use the PowerQuery Editor to format the exported audit log\r\nUse the JSON transform feature in the Power Query Editor in Excel to split each property in the AuditData\r\ncolumn (which consists of a multi-property JSON object) into its own column. This feature lets you filter columns\r\nto view records related to sharing.\r\nFor step-by-step instructions, see \"Step 2: Format the exported audit log using the Power Query Editor\" in Export,\r\nconfigure, and view audit log records.\r\nStep 3: Filter the CSV file for resources shared with external users\r\nIn this step, you filter the CSV file for the different sharing-related events that the SharePoint sharing events\r\nsection describes. Alternatively, you can filter the TargetUserOrGroupType column to display all records where\r\nthe value of this property is Guest.\r\nAfter you follow the instructions in the previous step to prepare the CSV file by using the PowerQuery editor,\r\ncomplete the following steps:\r\nhttps://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events\r\nPage 3 of 4\n\n1. Open the Excel file that you created in Step 2.\r\n2. On the Home tab, select Sort \u0026 Filter, then select Filter.\r\n3. In the Sort \u0026 Filter dropdown list on the Operations column, clear all selections, then select one or more\r\nof the following sharing-related events and select Ok.\r\nSharingInvitationCreated\r\nAnonymousLinkCreated\r\nSecureLinkCreated\r\nAddedToSecureLink\r\nExcel displays the rows for the events you selected.\r\n4. Go to the column named TargetUserOrGroupType and select it.\r\n5. In the Sort \u0026 Filter dropdown list, clear all selections, then select TargetUserOrGroupType:Guest, and\r\nselect Ok.\r\nNow Excel displays the rows for sharing events and where the target user is outside of your organization,\r\nbecause external users are identified by the value TargetUserOrGroupType:Guest.\r\nTip\r\nFor the audit records that are displayed, the ObjectId column identifies the resource that you shared with the\r\ntarget user. For example, ObjectId:https:\\/\\/contoso-my.sharepoint.com\\/personal\\/sarad_contoso_com\\/Documents\\/Southwater Proposal.docx .\r\nSource: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events\r\nhttps://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events"
	],
	"report_names": [
		"use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9af278b5ec422a8008f2e1309ad26f58940a2902.pdf",
		"text": "https://archive.orkl.eu/9af278b5ec422a8008f2e1309ad26f58940a2902.txt",
		"img": "https://archive.orkl.eu/9af278b5ec422a8008f2e1309ad26f58940a2902.jpg"
	}
}