How to audit OneDrive for Business activities

How to audit OneDrive for Business activities

OneDrive for Business is widely used to store and retrieve documents. Since, these documents can be easily accessed, modified or deleted by any users who have access, you must keep track of all the actions performed in organization’s OneDrive for Business account and the person responsible for every action.

Why use O365 Manager Plus to audit your OneDrive for Business?
Native Office 365 auditing options such as PowerShell scripts and Office 365 Security & Compliance Center are either complex to use or does not directly provide specific OneDrive for Business activity logs. These audit logs can be searched and generated on a per user basis only.



O365 Manager Plus simplifies the process of fetching OneDrive for Business audit logs by offering exclusive audit reports for multiple users under various domains (which can be stored for an indefinite period). Apart from this there is a custom view option, using which you can generate and view reports based on attribute filters you choose. eg. Business hour based, user based or client IP based. These audit reports are available under three categories:

1. OneDrive File and Folder Activities
2. OneDrive Sharing Activities
3. OneDrive Sync Activities

Note: For accessing audit reports one must first add a new audit profile. Refer to this page to learn more about creating and configuring auditing profiles.

How to access OneDrive for Business audit reports in O365 Manager Plus

Follow the steps given below to view audit reports for OneDrive for Business:
1. Click on the Audit tab on the top pane.
2. Navigate to OneDrive for Business reports on the left side.
3. Click on any of the two categories: OneDrive File Folder Activities or OneDrive Sync Activities.
4. Choose a report as you require from the list of reports available.
5. Enter the period for report generation and the name of domains you would like to audit.

Note: You can export the reports generated as PDF, HTML, XLS or CSV format. Also, use the Schedule Profiles option to schedule the reports to be automatically generated and mailed to the stakeholders in your organization.

Create audit profiles that suit your need

Use Case 1: Detect unauthorized access of private documents!

Consider a folder containing all confidential information in your organization. You can now keep a close watch on that particular folder by creating an audit profile to monitor factors such as who accessed the folder, when is the folder accessed, the client IP used to access the folder, the country from which it is accessed and so on. Follow the steps given below to create a new audit profile for this purpose:

1. Click on the Settings tab.
2. Navigate to Configuration > Audit Configuration > Audit Profiles.
3. Click the Add Profile tab on the top right corner.
4. Enter a suitable Profile Name and Description.
5. In Office 365 services drop-down, choose OneDrive for Business.
6. Under Category, select OneDrive File and Folder Activities.
7. In Actions drop-down, choose Accessed file.
8. Navigate to Advanced Configuration > Filter Settings > Filter by column.
9. You can choose and add various filters as required. For example, if you want to check the file access operations performed by users from other countries, refer to the image below and apply the country filter as given.
10. Click on Add to create a new audit profile for monitoring.



Use Case 2: Learn about anonymous link shares in your organization.

You can also find out about the anonymous sharing activities performed in your organization by following the steps given below:

      Perform steps 1-5 as given in use case 1
  • Under Category, select OneDrive Sharing Activities.
  • In Actions drop-down, choose created, updated, used, deleted anonymous links.
  • Navigate to Advanced Configuration > Filter Settings > Filter by column.
  • You can choose and add various filters as required. For example, if you want to check the IP address of the client machine from which the anonymous links are shared, refer to the image below and apply the clientIP filter as given. 
  • Click on Add to create a new audit profile for monitoring anonymous links.


How to tweak these audit reports to help you better?

These audit reports come handy when you want to scrutinize and monitor specific attributes over the others. For example, the OneDrive File Accessed audit report, in general, displays all the file access operations performed. But using the filters available in O365 Manager Plus, you can tweak the audit report to display only the file access operations performed by specific users or the ones performed during a specific time or using a specific client IP address and so on. By this you can keep a close watch on activities performed by particular users or the activities performed outside business hours.



You may also use the Create New View option, to get customized summary view based on the attributes that you choose like time or user name.



Use these pre-configured reports and other options available in O365 Manager Plus to monitor and audit your OneDrive for Business environment. To know more about how O365 Manager Plus helps you to effectively manage your Office 365 account, click here.