Viewing and removing OneDrive for Business Sharing with PowerShell

One of the great abilities of OneDrive for Business and SharePoint Online is the ability to quickly and easily share a link to a file with people outside your organisation.


I’m not going to show you how to do this in this article but if you need to see how this is done have a look at:

Share OneDrive files and folders

In the above example you’ll see that the file Employee Engagement Plan.docx has been been shared by the owner with an external user (Lewis Collins).


Somewhere else, you can see that this user (Lewis Collins) has the document open to work on.

One of the benefits of sharing using OneDrive for Business is that the sharing rights can easily be revoked by the original user if desired.


The easiest way to achieve this would be simply to hit the cross next to the external users name in the web interface as shown above.


The original user would then be prompted the Remove the external user, which they would do to remove access.

That all works fine when you have a small number of shared files and a small number of users working with a file. It becomes a lot more problematic when you start scaling to many users as you can see here:


What happens when you need to find just one user to remove sharing from amongst a list of hundreds of users?

PowerShell to the rescue!

1. Connect to SharePoint Online via PowerShell. You can use my script at:

to do this. You’ll need to know the tenant name prior i.e. the part before the (e.g.


2. Run the PowerShell command:

Get-spouser -site https://<mydomain><user>_<mydomain>_onmicrosoft_com -limit all

to display of all the users who have access to the specific OneDrive for Business site.


In this list you should find your external user in the format of:


This may vary slight but you should also be able to identify the user by their Display name if needed.

3. Run the PowerShell command:

remove-spouser –site https://<mydomain><user>_<mydomain>_onmicrosoft_com&nbsp; -loginname <>#ext#<mydomain>


4. Run a sharing report


In the source OneDrive for Business, select the COG in the upper right corner and then the option OneDrive Settings.


Now select More Settings on the left and Run sharing report from the options that appear on the right as shown above.


Nominate a folder for this report to be sent to.


You’ll receive an email when the report is ready. It will be in Excel format as you can see above.

Open the file and do a search for the external email address of the removed users.


The removed users should not appear in the report as expected.


If you now look at the sharing option for file(s) in that OneDrive for Business you should find that the removed user no longer appears, as shown above.

If the external user, who has just been removed, actually has the file open at the moment that access is removed they will see:


and be prompted to Reconnect. If they then attempt to reconnect they will see:


and will be denied access going forward.

Note – This removes that users access to ALL files shared in the OneDrive for Business location, not just for a single file.


I also have another freely available script at:

that will display a list of all externally shared across your tenant as shown above.

If you do have a situation where you have large numbers of shared files or shared users in OneDrive for Business and you wish to make bulk removal easier, I’d encourage you to look at PowerShell as an option. However, remember, this option will remove ALL sharing for that user(s) across the WHOLE OneDrive for Business.

Branding your Microsoft 365 tenant

Branding is great way to improve the visual look and feel during the login experience but may also help mitigate phishing compromises in a small way by providing uniqueness. It only takes a few moments to brand your tenant and branding will also start showing up in a number of different areas when you use Microsoft 365 services.

This video takes you through that process and shows you how easy it is to set up. a link to the video is here:

and the article mentioned in the video is here:

Conditional Access with Microsoft 365

One of the easy ways to protect your environment is to implement Conditional Access which is included with all Microsoft 365 plans. Otherwise, you can add Azure AD P1 to your environment to get this functionality.

This video will take you through the basics of setting up a Conditional Access including how to block access based on location. You’ll see how to create a Named Location, a Conditional Access policy and what it looks like when it is actually applied to a user.

A direct link for the video can be found at:

Anti spam policies in Microsoft 365

One of the biggest misunderstanding’s I see around Microsoft/Office 365 is managing anti spam settings. These are done in Exchange Online. Thinks like Office 365 ATP actually perform additional functionality (such as safe list and attachments). Thus, if you want to limit the spam that users receive it is important to ensure you have your anti spam policies correctly configured.

This video will show you how and where to configure both inbound and outbound spam policies as well as some best practice recommendations for both. You’ll find the direct link for the video here:

Need to Know podcast–Episode 233

FAQ podcasts are shorter and more focused on a particular topic. In this episode I’ll talk about Azure Sentinel.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


Azure Sentinel

Office 365 Audit Retention Policy

I have spoken previously about the importance of ensuring that your unified audit logs are enabled in your Microsoft 365 tenant:

Enable activity auditing in Office 365

These logs are retained for 90 days by default for all plans. However, if you have Office 365 E5, Microsoft 365 E5 or Microsoft 365 E5 Compliance add-on license you can enable an audit retention policy for up to 1 year.

If you navigate to:

in your tenant you will see:


the button New audit retention policy at the bottom of the page as shown above.


Select that button will display the above dialog. Towards the bottom of this you will see that you can set up a retention policy of up to 1 year.

Of course you can enter the policy via the web interface but I prefer PowerShell. The command that you need to use is:


you then use the recordtypes parameter to specify the audit logs of a specific record type that are retained by the policy. Currently, there are heaps of these:

  1. AeD
  2. AirInvestigation
  3. ApplicationAudit
  4. AzureActiveDirectory
  5. AzureActiveDirectoryAccountLogon
  6. AzureActiveDirectoryStsLogon
  7. CRM
  8. Campaign
  9. ComplianceDLPExchange
  10. ComplianceDLPSharePoint
  11. ComplianceDLPSharePointClassification
  12. ComplianceSupervisionExchange
  13. CustomerKeyServiceEncryption
  14. DLPEndpoint
  15. DataCenterSecurityCmdlet
  16. DataGovernance
  17. DataInsightsRestApiAudit
  18. Discovery
  19. ExchangeAdmin
  20. ExchangeAggregatedOperation
  21. ExchangeItem
  22. ExchangeItemAggregated
  23. ExchangeItemGroup
  24. HRSignal
  25. HygieneEvent
  26. InformationBarrierPolicyApplication
  27. InformationWorkerProtection
  28. Kaizala
  29. LabelExplorer
  30. MIPLabel
  31. MailSubmission
  32. MicrosoftFlow
  33. MicrosoftForms
  34. MicrosoftStream
  35. MicrosoftTeams
  36. MicrosoftTeamsAdmin
  37. MicrosoftTeamsAnalytics
  38. MicrosoftTeamsDevice
  39. MicrosoftTeamsShifts
  40. MipAutoLabelExchangeItem
  41. MipAutoLabelSharePointItem
  42. MipAutoLabelSharePointPolicyLocation
  43. OfficeNative
  44. OneDrive
  45. PowerAppsApp
  46. PowerAppsPlan
  47. PowerBIAudit
  48. Project
  49. Quarantine
  50. SecurityComplianceAlerts
  51. SecurityComplianceCenterEOPCmdlet
  52. SecurityComplianceInsights
  53. SharePoint
  54. SharePointCommentOperation
  55. SharePointContentTypeOperation
  56. SharePointFieldOperation
  57. SharePointFileOperation
  58. SharePointListItemOperation
  59. SharePointListOperation
  60. SharePointSharingOperation
  61. SkypeForBusinessCmdlets
  62. SkypeForBusinessPSTNUsage
  63. SkypeForBusinessUsersBlocked
  64. Sway
  65. SyntheticProbe
  66. TeamsHealthcare
  67. ThreatFinder
  68. ThreatIntelligence
  69. ThreatIntelligenceAtpContent
  70. ThreatIntelligenceUrl
  71. WorkplaceAnalytics
  72. Yammer

In my case I ran:

New-UnifiedAuditLogRetentionPolicy -Name “Log Retention Policy” -Description “One year retention policy for all activities” -RecordTypes AeD,AirInvestigation,ApplicationAudit,AzureActiveDirectory,AzureActiveDirectoryAccountLogon,AzureActiveDirectoryStsLogon,CRM,Campaign,ComplianceDLPExchange,ComplianceDLPSharePoint,ComplianceDLPSharePointClassification,ComplianceSupervisionExchange,CustomerKeyServiceEncryption,DLPEndpoint,DataCenterSecurityCmdlet,DataGovernance,DataInsightsRestApiAudit,Discovery,ExchangeAdmin,ExchangeAggregatedOperation,ExchangeItem,ExchangeItemAggregated,ExchangeItemGroup,HRSignal,HygieneEvent,InformationBarrierPolicyApplication,InformationWorkerProtection,Kaizala,LabelExplorer,MIPLabel,MailSubmission,MicrosoftFlow,MicrosoftForms,MicrosoftStream,MicrosoftTeams,MicrosoftTeamsAdmin,MicrosoftTeamsAnalytics,MicrosoftTeamsDevice,MicrosoftTeamsShifts,MipAutoLabelExchangeItem,MipAutoLabelSharePointItem,MipAutoLabelSharePointPolicyLocation,OfficeNative,OneDrive,PowerAppsApp,PowerAppsPlan,PowerBIAudit,Project,Quarantine,SecurityComplianceAlerts,SecurityComplianceCenterEOPCmdlet,SecurityComplianceInsights,SharePoint,SharePointCommentOperation,SharePointContentTypeOperation,SharePointFieldOperation,SharePointFileOperation,SharePointListItemOperation,SharePointListOperation,SharePointSharingOperation,SkypeForBusinessCmdlets,SkypeForBusinessPSTNUsage,SkypeForBusinessUsersBlocked,Sway,SyntheticProbe,TeamsHealthcare,ThreatFinder,ThreatIntelligence,ThreatIntelligenceAtpContent,ThreatIntelligenceUrl,WorkplaceAnalytics,Yammer -RetentionDuration TwelveMonths -Priority 100

to set them all for my E5 environment, and thus retain all this logging information for at least 12 months!


You can read more about all this in the Microsoft documentation here:

Manage audit log retention policies

Remember however, for this to work:

“To retain an audit log for longer than 90 days, the user who generated the audit log must be assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance add-on license.”

***** 9 April 2020 Update

It appears Microsoft has now changed the parameters you can specify to:

ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation,
OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet,
ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation,
AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked,      SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer,      SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow,  AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project,  SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp,  PowerAppsPlan, ThreatIntelligenceAtpContent, LabelContentExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication,   SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation,  MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection,  Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit,  ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem,     MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, MipAutoLabelExchangeItem, CortanaBriefing,
Search, WDATPAlerts, MDATPAudit