Petri Newsletter Sign-up
Office 365 Insider

Here at Petri.com, we get IT — and so can you. Subscribe today to stay informed and knowledgeable regarding the latest on IT.

    See All Petri Newsletters

    Tracking Anonymous Access to SharePoint and OneDrive Documents

    Posted on by Tony Redmond in Exchange Online, Office, Office 365, and SharePoint Online

    Understanding Office 365 Sharing

    Over the last few months, I’ve looked at various aspects of how guest users gain access to resources within Office 365 tenants and the information tenant administrators can use to track that access. We’ve considered the mechanics of SharePoint Online sharing, how to report Office 365 Groups and Teams with guests in their membership, and how to use the Office 365 audit log to discover the documents accessed by guests. In my last article in this area, I reviewed how to find out who creates guest accounts, including when a guest account is created because someone shares a document in a SharePoint Online or OneDrive for Business site.

    Sharing via Cloudy Attachments

    Hopefully the articles have helped throw some light into how to manage guest access to resources. To complete the picture, I want to look at the links created by Outlook when users add a “cloudy attachment” to email. These attachments are links to SharePoint Online or OneDrive for Business documents, with the idea being that it is better for recipients to access the document in situ instead of a private copy.

    Cloudy attachments work very well. However, the link sent to recipients allows anonymous access to the document. In other words, anyone with the link can access the document. This isn’t a huge deal even if the message is forwarded because it replicates how regular attachments work. This situation is due to change when Outlook adopts the standard sharing link control for Office 365, but it’s what happens today.

    Tenant administrators can track access to other shared documents. What I wanted to find out is how to discover the documents being shared via email and the actions taken against those documents.

    Finding Anonymous Access Audit Events

    Once again, the combination of Office 365 audit log and PowerShell gave the answer. The solution came in two parts: first, find out when anonymous links are used. Next, find out what happens to the document afterwards. For instance, did the recipient modify or download the document.

    The first part is solved by searching the audit log for AnonymousLinkUsed operations. Office 365 captures these records when a recipient opens a document using an anonymous link, whether the link was sent as a cloudy attachment or when someone generates an “Anyone with the link can view” or “Anyone with the link can edit” share from SharePoint Online or OneDrive for Business.

    Because we’re dealing with anonymous access, details of the user who uses the link are not logged, but their IP address is. We can therefore use that IP address to track subsequent actions by searching the audit log again for operations like FileDownloaded that took place within seven days of the link being used. Seven days is an arbitrary period chosen by me on the basis that if something doesn’t happen within that time, it’s probably not interesting.

    Finding Actions by IP Address

    After finding the second set of records, we filter them to look for records associated with anonymous access based on the SharePoint identifier assigned to the anonymous access. This is a value like urn:spo:anon#f93ba91b9fcff445a167b15625c3fd3fbfd98fc46e669ea1f676f1e366e77794 generated by SharePoint to identify the anonymous access through the link.

    Outputting for Further Analysis

    Once we’ve done our filtering, slicing, and dicing, we can output the data in something that makes further analysis easy. My go-to format is to export the data to CSV and use Excel or Power BI, but you can also browse the information in a grid by piping it to the Out-GridView cmdlet (Figure 1).

    Figure 1: Anonymous access to SharePoint and OneDrive documents (image credit: Tony Redmond)

    The Script

    Here’s the PowerShell script to generate the data for analysis. You need to connect to Exchange Online to use the Search-UnifiedAuditLog cmdlet.


    As usual, I don’t guarantee the code. All I can say is that it works for me.

    Sharing is Caring

    It’s great to be able to share so easily in so many ways with so many people outside your Office 365 tenant. It’s even better when you know how that sharing happens.

    BECOME A PETRI MEMBER:

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    Register