Audit Permission Changes in OneDrive for Business Objects

ashok kumar

1 year ago

The Principle of Least Privilege (PoLP) is an information security concept in which a user is given the minimum levels of access needed to perform their job functions. Applying this principle is a highly effective way to greatly reduce the chance of an attack within an organization.

Once the PoLP concept has been complied with and sensitive data is accessible to the minimum number of users, it is essential for an organization to be able to track any subsequent changes to sensitive data permissions. For example, a user could be given temporary access to a finance spreadsheet so that they can perform a particular task. If their temporary access gets forgotten about and the permissions are not revoked, then that user has unlimited access to the document which could result in a security breach.

However, if these permission changes are regularly monitored then it is a straightforward process to remove the access and keep the sensitive data secure.

In this guide we will look at two ways in which you can audit permission changes in OneDrive for Business Objects. The first is the native way using Microsoft 365 tools and the second is a simpler way using the Lepide Auditor.

Using the Native Way

You can create a CSV file of every unique file, user, permission, and link on OneDrive. This can help you understand how sharing is being used and if any files or folders are being shared with guests. You must be a site admin to run the report.

When you run the report, the CSV file is saved to a location of your choosing on the site.

To run the report:

From the Microsoft 365 app launcher, select the OneDrive tile.
Click the Settings icon and choose OneDrive settings.
Click More settings, and then click Run sharing report.
Choose a destination to save the report, and then click Save.
The report may take some time to run depending on the size of the site
When the report is finished running you will receive an email with a link to the report.
The following is an example of the CSV report:

The report contains the following columns:

Column Name	Description
Resource Path	The relative URL of the item
Item Type	The type of item (web, folder, file, etc.)
Permission	The permission level the user has on this item
User Name	Friendly name of the user or group that has access to this item. If this is a sharing link, the user name is SaringLink
User E-mail	The email address of the user who has access to this item. This is blank for SharePoint groups.
User or Group Type	The type of user or group: Member (internal), Guest (external), SharePoint group, Security group or Microsoft 365 group. (Note that Member refers to a member in the directory, not a member of the site.)
Link ID	The GUID of the sharing link if username is Sharing Link
Link Type	The type of link (Anonymous, Company, Specific People) if username is Sharing Link
AccessViaLinkID	The Link ID used to access the item if a user’s permission to an item is via a link.

Using the Lepide Auditor

The native method to audit permission changes in OneDrive can be both time consuming and complex. A more straightforward solution is to use the Lepide Auditor for OneDrive and run the All Environment Changes Report:

This report includes information about what was changed, who made the change and when it was made.

To run the All Environment Changes Report:

From the States & Behavior screen, select the All Environment Changes Report
Select a date range, select the OneDrive component, filter by Permissions Modified and click Generate Report
The report is generated and can be grouped, filtered, saved and exported