How to Audit Changes to Sharing Settings in MS Teams and SharePoint Online

Native Auditing vs. Netwrix Auditor for SharePoint
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for SharePoint
Native Auditing
Netwrix Auditor for SharePoint
  1. Open the Office 365 Security & Compliance dashboard.
  2. Go to Search → Click “Audit log search”.
  3. In the Activities filters, select the following:
  • Site permission activities:
    • Broke sharing inheritance
    • Restored sharing inheritance
  • Site administration activities:
    • Changed a sharing policy
  • Sharing and access request activities:
    • Created an access request
    • Shared a file, folder, or site
    • Unshared a file, folder, or site
  1. Click “Search”.
  2. Review the results:
Audit Changes to Sharing Settings in MS Teams and SharePoint Online - Native Auditing
  1. Click on any action to expand the More information drop-down and see more details:
Audit Changes to Sharing Settings in MS Teams and SharePoint Online - Native Auditing Details
  1. Run Netwrix Auditor → Navigate to “Reports”.
  2. Expand the “SharePoint Online” section → Go to “SharePoint Online Activity” → Select “Sharing and Security Changes”.
  3. Click “View Report”.
Audit Changes to Sharing Settings

Ensure you don’t miss critical sharing changes in a sea of data.

Office 365 has many great collaboration features, and in the modern era of remote offices and widespread work from home, collaboration is key. In particular, both SharePoint Online and MS Teams provide users with a variety of options for making documents, sites and even whole segments of the IT environment accessible to others, both inside and outside the organization. 

This flexibility dramatically increases security risks, so it is essential to control and monitor how and with whom your various resources are being shared. Unfortunately, native tools are limited. The native audit log is retained for just 90 days, which impedes investigations. Searching the audit log online via the Security and Compliance center is slow and sometimes confusing, since seemingly similar events can appear in different sections. On top of this, while some activities, such as sharing via a direct link, are quite transparent, other actions are not. For instance, to inspect sharing inheritance and changes to sharing policy, admins have to open and review each individual event to understand which settings have been changed, a time-consuming process that puts them at risk of missing important details.

Netwrix Auditor for SharePoint overcomes all these drawbacks. Instead of manually sifting through cryptic events for hours, you can get all necessary information in a few clicks in one out-of-the-box report. You get clear details about all changes to security group membership, policies and sharing settings in SharePoint Online and Teams, including critical actions like promoting a user to site collection administrator. You can also see precisely who shared what data with which users, so you can stay on top of sharing data with external users. In addition, you can subscribe yourself or other designated personnel to receive this report by email on schedule, facilitating regular review to ensure that potentially harmful changes never go unnoticed.

Related How-tos