OneDrive Sharing Report
Managing and monitoring the sharing permissions of files stored in OneDrive can be a critical task for organizations. This guide provides a step-by-step walkthrough of how to create an Azure AD application with specific permissions, generate a client secret, and use a PowerShell script to retrieve and report the sharing permissions of OneDrive files. By following these steps, you will be able to audit and control file sharing across your organization, ensuring security and compliance.
Step 1: Creating an Azure AD Application
To get started, you'll need to create an Azure AD application that will allow you to interact with the Microsoft Graph API and retrieve information about users' OneDrive files and sharing settings. Specifically, you need to set the following permissions:
- Directory.Read.All
- Directory.ReadWrite.All
- Files.Read.All
- Sites.ReadWrite.All
- User.Read
- User.Read.All
Instructions for Creating an Azure AD App:
- Sign in to the Azure Portal: Go to Azure Portal.
- Navigate to Azure Active Directory: On the left-hand menu, select "Azure Active Directory".
- Create a new Application: Under "App registrations," click on "New registration." Provide a name for your application and choose the appropriate settings for your environment.
- Set API Permissions: Once the app is created, navigate to the "API permissions" section. Add the necessary permissions listed above for the Microsoft Graph API.
- Grant Admin Consent: After adding the permissions, click "Grant admin consent for [Tenant Name]" to ensure that the application has the necessary access.
Step 2: Creating a Client Secret
The next step is to create a client secret for your Azure AD application, which will allow you to authenticate and generate an access token to interact with the Microsoft Graph API.
- Navigate to Certificates & Secrets: In your Azure AD application, go to "Certificates & secrets."
- Create a New Client Secret: Under "Client secrets," click on "New client secret." Provide a description and set the expiration.
- Save the Client Secret: After creating the client secret, make sure to copy it immediately. You won’t be able to view it again after navigating away.
Step 3: PowerShell Script for OneDrive Sharing Report
Once you have your Azure AD application and client secret, you can use the following PowerShell script to query and retrieve the sharing permissions for files in OneDrive.
# Define your Azure AD app credentials
$clientId = ""
$tenantId = ""
$clientSecret = ""
# Prepare the token request URL for Microsoft Graph API
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Create the request body for obtaining an access token
$body = @{
client_id = $clientId
scope = "https://graph.microsoft.com/.default"
client_secret = $clientSecret
grant_type = "client_credentials"
}
# Send the request to get the access token
$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$accessToken = $response.access_token
# Set the authorization header with the access token
$headers = @{
Authorization = "Bearer $accessToken"
}
# Function to get the list of users in your tenant
function Get-AllUsers {
$usersUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Uri $usersUrl -Headers $headers
return $users.value
}
# Function to list all files and folders under each user's OneDrive
function Get-UserFiles {
param(
[string]$userId
)
$driveUrl = "https://graph.microsoft.com/v1.0/users/$userId/drive/root/children"
$driveItems = Invoke-RestMethod -Uri $driveUrl -Headers $headers
return $driveItems.value
}
# Function to get sharing details and permissions for each user's files/folders in OneDrive
function Get-SharingPermissions {
param(
[string]$userId,
[string]$fileId
)
$sharingUrl = "https://graph.microsoft.com/v1.0/users/$userId/drive/items/$fileId/permissions"
$permissions = Invoke-RestMethod -Uri $sharingUrl -Headers $headers
return $permissions.value
}
# Initialize an array to hold the output data
$outputData = @()
# Main Execution
$users = Get-AllUsers
foreach ($user in $users) {
Write-Host $user.displayName
# Get user's OneDrive files and folders
$files = Get-UserFiles -userId $user.id
$files | ForEach-Object {
$fileName = $_.name
$fileId = $_.id
$fileType = $_.file.mimeType
# For each file, collect data on the file itself
$fileData = New-Object PSObject -property @{
UserPrincipalName = $user.userPrincipalName
FileName = $fileName
FileId = $fileId
FileType = $fileType
}
# Get sharing permissions for each file
$permissions = Get-SharingPermissions -userId $user.id -fileId $fileId
$permissions | ForEach-Object {
# Collect sharing data for each permission entry
$sharingData = New-Object PSObject -property @{
UserPrincipalName = $user.userPrincipalName
FileName = $fileName
SharedWith = $_.grantedTo.user.email
Permissions = $_.roles -join ", "
SharedLink = $_.link.webUrl
}
# Add sharing data to the output array
$outputData += $sharingData
}
# Add file data to the output array (in case there were no sharing permissions)
if ($permissions.Count -eq 0) {
$outputData += $fileData
}
}
}
# Define the CSV file path
$csvFilePath = "C:\temp\output.csv"
# Export collected data to CSV
$outputData | Export-Csv -Path $csvFilePath -NoTypeInformation
Write-Host "Script execution completed. Data has been saved to $csvFilePath."
Sample Output
The script will generate an output similar to the following, showing file names and their sharing permissions:
UserPrincipalName,FileName,SharedWith,Permissions,SharedLink
user1@domain.com,Document1.xlsx,user2@domain.com,Read,https://sharepoint.com/sharedlink
user1@domain.com,Document2.docx,,,
Comments
Post a Comment