SharePoint Online audit log activity

Aniruddha Aditya 316 Reputation points


I have created an spfx banner and my business condition is to check if external sharing is enabled, domain allowed and everyone M365 group is added to a site or not.

I am able to check the external sharing from the site properties but can't pull the Domain Sharing List and check if "M365 Everyone except external users" is added or not.

I have created a PS script and hosted it in Azure Function that does a check and stores the data on a config list from where the spfx checks.

The issue is, 40k sites...takes a long to iterate and update the config list.

The alternative is to capture the event. If anything thing happens (add user, change policies etc) at the site collection level (Tenant Level), is there any way to trigger an event to a webhook with the site URL? that's sufficient for me to do the rest of the logic.

Same case if everyone is added on a site, an event should trigger with the URL. The rest can be managed in the code?

The question is how do do it?


A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,878 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Baker Kong-MSFT 3,796 Reputation points

    Hi @Aniruddha Aditya ,

    SharePoint service only offers list/library webhook. If you want to receive SPO audit event, you may take a reference of Office 365 Management Activity API:

    Best Regards,
    Baker Kong

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Aniruddha Aditya 316 Reputation points

    @bakerkadour436qw Kong-MSFT Thank you for your response. Based on your input,

    I have created the APP token and Secret and provided appropriate permission on SharePoint.

    I am getting the AF20023 - The subscription is disabled and not able to fetch the events. Already there are events that I have created from the portal.

    I am using the below code:

    $ClientID = ""
    $ClientSecret = "
    $loginURL = "";
    $tenantdomain = ""
    $TenantGUID = "22e45340-059b-410d-bf4a-sadfsfs"
    $resource = ""

    $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
    $oauth = Invoke-RestMethod -Method Post -Uri "$loginURL/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
    $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
    Invoke-WebRequest -Headers $headerParams -Uri "$resource/api/v1.0/$TenantGUID/activity/feed/subscriptions/content?contentType=Audit.SharePoint"

    0 comments No comments