After years of ignoring the issue, Microsoft has finally started rolling out the External sharing report feature for OneDrive for Business. The rollout is still not 100% complete, so the feature might not be available in your tenant just yet, but it should be coming soon.
Generating a Sharing Report
To generate the External sharing report, open your OneDrive for Business site, go to Settings on top (cog wheel), OneDrive settings, More settings and finally under the Manage access section, click Run sharing report. You will then be asked to select where to store the report (Figure 1).
After you select a folder and hit Save, the report is generated in a manner of a minute or two. You will be alerted by an email notification once the report is available, or you can look into the folder you selected for the output.
The report is a CSV file based on your Display name, followed by the date and time of its generation. The file is viewable in the browser or can be downloaded and opened with Excel. The latter option might be better for non-English users, as the columns and values of the generated CSV file will reflect the locale selected (in my case, Bulgarian), which resulted in an illegible mess because of the encoding, as shown in Figure 2.
Examining OneDrive for Business Sharing Data
Downloading the file and importing the data to an Excel worksheet, while simultaneously adjusting the encoding to UTF-8, produced a much more pleasant version (Figure 3). From left to right, you will see the Path to the item, its type, the permissions given, the user(s) which the item is shared with (one entry per line), user’s email where applicable, the User or Group type, Sharing Link ID, Sharing Link Type and AccessViaLinkID. Some of those fields might be empty, depending on the type of sharing, and the screenshot below only reflects External sharing (read below). Do note that the labels and values used are my own translation from the Bulgarian strings used in original, so there might be slight disconnect with what you see.
Despite what the feature name suggests, the report includes both internally and externally shared items, but more on that below. The items themselves are alphabetically sorted based on the full item’s path. As already mentioned above, each line represents a single permission entry, meaning you will see multiple entries for items that have more than one sharing link or direct permission, or any combination of those. Nested folders and items stored within them are covered, with some important omissions discussed below.
Comparing a Graph-Based Report
I took the liberty of comparing this report to the one generated with the Graph API based script I published over at Practical 365 a while back. Overall, you can expect to see very similar data, however there are some interesting differences. For example, the built-in report includes the default Web permissions, as well as permissions from other Lists/Libraries in your ODFB, while the script report focuses only on the default /Documents library. It’s also interesting to note that the Microsoft-generated report does not include information about permissions given to any secondary site collection owners, although they are readily available from the Graph endpoints.
The biggest difference between the two files is the sheer number of entries missing from the downloadable report. As an example, I sync the Camera roll from my mobile device to OneDrive for Business and have shared some of the images from OneDrive. This results in few hundred entries in the report just for the Photos folder, whilst the built-in report only lists a single entry for the folder. Trimming the entries makes sense, as all the items have the same set of permissions. However, the fact that trimming happens is not mentioned in the official documentation, so make sure to keep this aspect in mind when determining the actual number of shared items.
Similarly, there seems to be a bit of a gray area in the definition of internal vs external sharing. While the built-in report often seems to exclude entries that have additional permission entries that are considered internal only, it still lists other items even when they do not have any additional sharing links configured.
Probably the major drawback for admins is the fact that there isn’t any easy way to run the report on behalf of a given user. Technically, you can add yourself as a secondary site collection admin for users’ ODFB drives, and you can then use those permissions to access the settings page of their sites and generate the report. However, this method is hardly manageable for anything but a handful of users.
Among other things worth mentioning is that the built-in report does not include information about link expiration, or additional link settings such as the Block download controls. Lastly, if you want to list all externally shared items, make sure to include the SharePointGroup value in addition to the External one when selecting a filer for the User or Group Type column. With all those adjustments in mind, the results from both files match perfectly, so whichever method you choose to use is entirely up to you.
Office 365 for IT Pros has lots of useful insight like this covering different aspects of the ecosystem. Our subscribers have the chance to download an updated book monthly. Shouldn’t you be one of them?