Skip to main content

OneDrive Sharing Report: A Comprehensive Guide

OneDrive Sharing Report

Managing and monitoring the sharing permissions of files stored in OneDrive can be a critical task for organizations. This guide provides a step-by-step walkthrough of how to create an Azure AD application with specific permissions, generate a client secret, and use a PowerShell script to retrieve and report the sharing permissions of OneDrive files. By following these steps, you will be able to audit and control file sharing across your organization, ensuring security and compliance.

Step 1: Creating an Azure AD Application

To get started, you'll need to create an Azure AD application that will allow you to interact with the Microsoft Graph API and retrieve information about users' OneDrive files and sharing settings. Specifically, you need to set the following permissions:

  • Directory.Read.All
  • Directory.ReadWrite.All
  • Files.Read.All
  • Sites.ReadWrite.All
  • User.Read
  • User.Read.All

Instructions for Creating an Azure AD App:

  1. Sign in to the Azure Portal: Go to Azure Portal.
  2. Navigate to Azure Active Directory: On the left-hand menu, select "Azure Active Directory".
  3. Create a new Application: Under "App registrations," click on "New registration." Provide a name for your application and choose the appropriate settings for your environment.
  4. Set API Permissions: Once the app is created, navigate to the "API permissions" section. Add the necessary permissions listed above for the Microsoft Graph API.
  5. Grant Admin Consent: After adding the permissions, click "Grant admin consent for [Tenant Name]" to ensure that the application has the necessary access.

Step 2: Creating a Client Secret

The next step is to create a client secret for your Azure AD application, which will allow you to authenticate and generate an access token to interact with the Microsoft Graph API.

  1. Navigate to Certificates & Secrets: In your Azure AD application, go to "Certificates & secrets."
  2. Create a New Client Secret: Under "Client secrets," click on "New client secret." Provide a description and set the expiration.
  3. Save the Client Secret: After creating the client secret, make sure to copy it immediately. You won’t be able to view it again after navigating away.

Step 3: PowerShell Script for OneDrive Sharing Report

Once you have your Azure AD application and client secret, you can use the following PowerShell script to query and retrieve the sharing permissions for files in OneDrive.

        # Define your Azure AD app credentials
        $clientId = ""
        $tenantId = ""
        $clientSecret = ""
        
        # Prepare the token request URL for Microsoft Graph API
        $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
        
        # Create the request body for obtaining an access token
        $body = @{
            client_id     = $clientId
            scope         = "https://graph.microsoft.com/.default"
            client_secret = $clientSecret
            grant_type    = "client_credentials"
        }
        
        # Send the request to get the access token
        $response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
        $accessToken = $response.access_token
        
        # Set the authorization header with the access token
        $headers = @{
            Authorization = "Bearer $accessToken"
        }
        
        # Function to get the list of users in your tenant
        function Get-AllUsers {
            $usersUrl = "https://graph.microsoft.com/v1.0/users"
            $users = Invoke-RestMethod -Uri $usersUrl -Headers $headers
            return $users.value
        }
        
        # Function to list all files and folders under each user's OneDrive
        function Get-UserFiles {
            param(
                [string]$userId
            )
            
            $driveUrl = "https://graph.microsoft.com/v1.0/users/$userId/drive/root/children"
            $driveItems = Invoke-RestMethod -Uri $driveUrl -Headers $headers
            return $driveItems.value
        }
        
        # Function to get sharing details and permissions for each user's files/folders in OneDrive
        function Get-SharingPermissions {
            param(
                [string]$userId,
                [string]$fileId
            )
            
            $sharingUrl = "https://graph.microsoft.com/v1.0/users/$userId/drive/items/$fileId/permissions"
            $permissions = Invoke-RestMethod -Uri $sharingUrl -Headers $headers
            return $permissions.value
        }
        
        # Initialize an array to hold the output data
        $outputData = @()
        
        # Main Execution
        $users = Get-AllUsers
        
        foreach ($user in $users) {
            Write-Host $user.displayName
            # Get user's OneDrive files and folders
            $files = Get-UserFiles -userId $user.id
            $files | ForEach-Object {
                $fileName = $_.name
                $fileId = $_.id
                $fileType = $_.file.mimeType
        
                # For each file, collect data on the file itself
                $fileData = New-Object PSObject -property @{
                    UserPrincipalName = $user.userPrincipalName
                    FileName          = $fileName
                    FileId            = $fileId
                    FileType          = $fileType
                }
        
                # Get sharing permissions for each file
                $permissions = Get-SharingPermissions -userId $user.id -fileId $fileId
                $permissions | ForEach-Object {
                    # Collect sharing data for each permission entry
                    $sharingData = New-Object PSObject -property @{
                        UserPrincipalName = $user.userPrincipalName
                        FileName          = $fileName
                        SharedWith        = $_.grantedTo.user.email
                        Permissions       = $_.roles -join ", "
                        SharedLink        = $_.link.webUrl
                    }
        
                    # Add sharing data to the output array
                    $outputData += $sharingData
                }
        
                # Add file data to the output array (in case there were no sharing permissions)
                if ($permissions.Count -eq 0) {
                    $outputData += $fileData
                }
            }
        }
        
        # Define the CSV file path
        $csvFilePath = "C:\temp\output.csv"
        
        # Export collected data to CSV
        $outputData | Export-Csv -Path $csvFilePath -NoTypeInformation
        
        Write-Host "Script execution completed. Data has been saved to $csvFilePath."
        

Sample Output

The script will generate an output similar to the following, showing file names and their sharing permissions:

UserPrincipalName,FileName,SharedWith,Permissions,SharedLink
user1@domain.com,Document1.xlsx,user2@domain.com,Read,https://sharepoint.com/sharedlink
user1@domain.com,Document2.docx,,,
        

Comments

Popular posts from this blog

Business Data Connectivity

I came to a requirement wherein I was supposed to get data from an 3 rd party portal using API’s and then bring them to SharePoint server. The first approach that I finalized was just to make BDC solution that will get data from 3 rd party portal and will deploy it to SharePoint. How to Create BDC solution in SharePoint? I found below link that is having really great description about hot to create and deploy the BDC solution to SharePoint. http://www.c-sharpcorner.com/uploadfile/hung123/creating-business-data-connectivity-service-using-visual-studio-2010/ After creating an POC I came to know that BDC model cannot be deployed on Multi tenant farm. So what can be done next? After some amount of googling I came to know that we can create BDC solution using WCF services also. So I created a WCF service solution that acted as a wrapper that used to fetch data from the portal. We can them publish that service to IIS or Server and use the servic...

SharePoint Server continuously prompting for Credentials

Sometimes it is the case when your SharePoint server keeps on prompting for credentials. After some amount of googling and going through some reliable blogs I found following solution. Open Run Type “regedit”.                                                                  In the registry window left panel find HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > LSA                                                                                                                      Now right clic...