The Principle of Least Privilege (PoLP) is an information security concept in which a user is given the minimum levels of access needed to perform their job functions. Applying this principle is a highly effective way to greatly reduce the chance of an attack within an organization.
Once the PoLP concept has been complied with and sensitive data is accessible to the minimum number of users, it is essential for an organization to be able to track any subsequent changes to sensitive data permissions. For example, a user could be given temporary access to a finance spreadsheet so that they can perform a particular task. If their temporary access gets forgotten about and the permissions are not revoked, then that user has unlimited access to the document which could result in a security breach.
However, if these permission changes are regularly monitored then it is a straightforward process to remove the access and keep the sensitive data secure.
In this guide we will look at two ways in which you can audit permission changes in OneDrive for Business Objects. The first is the native way using Microsoft 365 tools and the second is a simpler way using the Lepide Auditor.
Using the Native Way
You can create a CSV file of every unique file, user, permission, and link on OneDrive. This can help you understand how sharing is being used and if any files or folders are being shared with guests. You must be a site admin to run the report.
When you run the report, the CSV file is saved to a location of your choosing on the site.
To run the report:
- From the Microsoft 365 app launcher, select the OneDrive tile.
- Click the Settings icon and choose OneDrive settings.
- Click More settings, and then click Run sharing report.
- Choose a destination to save the report, and then click Save.
- The report may take some time to run depending on the size of the site
- When the report is finished running you will receive an email with a link to the report.
- The following is an example of the CSV report:
The report contains the following columns:
Using the Lepide Auditor
The native method to audit permission changes in OneDrive can be both time consuming and complex. A more straightforward solution is to use the Lepide Auditor for OneDrive and run the All Environment Changes Report:
This report includes information about what was changed, who made the change and when it was made.
To run the All Environment Changes Report:
- From the States & Behavior screen, select the All Environment Changes Report
- Select a date range, select the OneDrive component, filter by Permissions Modified and click Generate Report
- The report is generated and can be grouped, filtered, saved and exported