Manage Data access governance reports using SharePoint Online PowerShell

While Data access governance is available in SharePoint admin center portal, large organizations usually look for PowerShell support in order to manage scale via scripting and automation. This article describes how to use the SharePoint Online PowerShell module to manage Data access governance reports.

Important

• PowerShell support for Data access governance is available from module Microsoft.Online.SharePoint.PowerShell and version 16.0.25409 or later.
• Run the Connect-SPOService command without the Credential parameter. In line with security best practices, signing in using the Credential parameter isn't supported.

What do I need to create a data access governance report?

What are the license requirements?

Your organization needs to have the right license and meet certain administrative permissions or roles to use the feature described in this article.

First, your organization must have one of the following base licenses:

• Office 365 E3, E5, or A5
• Microsoft 365 E1, E3, E5, or A5

Additionally, you need at least one of these licenses:

• Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license (this user doesn't need to be a SharePoint administrator).
• Microsoft SharePoint Advanced Management license: Available as a standalone purchase.

Administrator requirements

You must be a SharePoint administrator or have equivalent permissions.

Additional information

If your organization has a Copilot license and at least one person in your organization is assigned a Copilot license, SharePoint administrators automatically gain access to the SharePoint Advanced Management features needed for Copilot deployment.

For organizations without a Copilot license, you can use SharePoint Advanced Management features by purchasing a standalone SharePoint Advanced Management license.

What do I need to have before I start?

You must be a SharePoint Administrator or have equivalent permissions in Microsoft 365 to run the PowerShell admin scripts.

Before you use the PowerShell scripts in this article, you need to do the following steps:

1. If you haven't already done so, download the latest SharePoint Online Management Shell.

   Note

   If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall SharePoint Online Management Shell.

2. In your PowerShell console, connect to SharePoint. To learn how, see Getting started with SharePoint Online Management Shell.

How do I create all reports using PowerShell?

Use the Start-SPODataAccessGovernanceInsight command to generate all reports with appropriate filters and parameters.

How do I generate a site permission state report with PowerShell?

You must understand the permissions setup in your organization, particularly in the wake of Copilot adoption, as it respects user and content permissions. Copilot's data exposure risk increases with the number of users having permissions/access. The site permission state report provides deep insights into potential exposure, based on the unique number of users who have permissions to every SharePoint and OneDrive site in your organization.

We recommend that you run this report first to get a quick overview of permissions in your organization. This report is a snapshot report. It provides the latest snapshot/status of the entire organization as of the report generation date.

To generate a report for all your SharePoint sites, run the following command:

Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload SharePoint -CountOfUsersMoreThan 0  -Name "OrgWidePermissionedUsersReportSharePoint"

To generate a report for all your OneDrive for business accounts, run the following command:

Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload OneDriveForBusiness -CountOfUsersMoreThan 0  -Name "OrgWidePermissionedUsersReportODB"

Keep these important points in mind about the report:

• Because these reports are comprehensive and are likely to cover all data in your tenant, the maximum number of reports that are allowed are 2; one per workload.
• The first report always takes up to five days to complete, regardless of the size of your organization. Subsequent reports complete within 24 hours.
• These reports capture data up to 48 hours before the report generation.
• Once generated, reports can run again once every 30 days.

These commands generate a list of all sites where at least one user can access any content within the site. For more information about how to interpret the report, see How to view the site permissions for your organization report.

Once you understand the extent of oversharing in your tenant, you can track further deviations specifically from active sites in last 28 days. You can generate reports on sites that are active in key factors of potential oversharing such as 'Sharing links' or content shared with 'Everyone except external users', in the last 28 days.

How do I generate a user permission state report with PowerShell?

While site permission report for the entire organization helps you in understanding the current state of permissions in the entire tenant, there are scenarios where you might need to discover sites accessible to a given user, as described in Get your organization's site permissions baseline with the snapshot report. The following section describes how data access governance helps you to generate such a report using PowerShell.

First, you need to fetch the UPN or User principal name of the user for whom the report needs to be generated using the Get-MgUser command. Then run the following PowerShell command, which triggers the report listing SharePoint sites accessible to those users.

Start-SPODataAccessGovernanceInsight -ReportEntity PermissionsReport -ReportType Snapshot -Workload SharePoint -Name "UserSharePointReport" -UserEmailList "a@contoso.com","b@contoso.com"

Important

While the parameter is named as UserEmailList, the report requires user principal names. You can include up to 100 users in a single request.

To list OneDrive accounts accessible to the given users, specify the workload as OneDriveForBusiness.

Start-SPODataAccessGovernanceInsight -ReportEntity PermissionsReport -ReportType Snapshot -Workload OneDriveForBusiness -Name "UserOneDriveReport" -UserEmailList "a@contoso.com","b@contoso.com"

How do I generate a sensitivity label in files report with PowerShell?

Run this PowerShell command to trigger the report to list sites where specific items were labeled with a given label, as of the report generation date.

First, retrieve the label name or label GUID using the Security & Compliance PowerShell module.

Get-Label | Format-Table -Property DisplayName, Name, GUID, ContentType

Then, use the name and GUID to retrieve sites with files labeled with the given label name or GUID.

Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret

Note

Currently, the report for OneDriveForBusiness accounts with labeled files isn't supported.

How do I generate sharing link activity reports using PowerShell?

You can use sharing link activity reports to identify sites that are active in collaboration and need quicker intervention to mitigate any potential oversharing risk. These recent activity based reports identify sites that are generating the most number of sharing links in the last 28 days.

You can generate the following sharing link activity reports:

• Sites that created 'Anyone' sharing links in the last 28 days
• Sites that created 'People in your organization' sharing links in the last 28 days
• Sites that created 'Specific people' (guests) sharing links in the last 28 days

Important

If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for recent activity based reports so that relevant audit data is collected to build the report. After you enable it, the data is collected and stored for 28 days. You can generate the report 24 hours later, and it contains data from the point of collection. If you don't generate reports even once in three months, data collection is paused and you must enable it again. To enable data collection for these reports, see How do I manage data collection for recent activity based reports?.

How do I report on Anyone sharing links created in last 28 days with PowerShell?

Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Anyone -Workload SharePoint -ReportType RecentActivity

Provide the workload value as OneDriveForBusiness to get all OneDrive accounts with the same criteria.

How do I report on PeopleInYourOrg sharing links created in the last 28 days?

Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_PeopleInYourOrg -Workload SharePoint -ReportType RecentActivity

Provide the workload value as OneDriveForBusiness to get all OneDrive accounts with the same criteria.

How do I report on specific people (guests) sharing links created in the last 28 days?

Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Guests -Workload SharePoint -ReportType RecentActivity

Provide the workload value as OneDriveForBusiness to get all OneDrive accounts with the same criteria.

How do I identify content shared with Everyone except external users in last 28 days with PowerShell?

While Sharing links are one possible contributor for potential oversharing, another key contributor is 'Everyone except external users' (EEEU). EEEU makes content public (visible to the entire organization) and makes it easy for others to discover content and get access. These reports identify sites that actively used EEEU at various scopes in the last 28 days.

You can generate the following EEEU activity reports:

• Sites shared with Everyone except external users in last 28 days
• Items shared with Everyone except external users in last 28 days

Important

Currently the EEEU report for OneDrive for Business only supports the item level. EEEU reports for OneDrive for Business at the site level isn't supported. If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for recent activity based reports so that relevant audit data is collected to build the report. After you enable it, the data is collected and stored for 28 days. You can generate the report 24 hours later, and it contains data from the point of collection. If you don't generate reports even once in three months, data collection is paused and you must enable it again. To enable data collection for these reports, see How do I manage data collection for recent activity based reports?.

How do I identify sites shared with Everyone except external users in last 28 days with PowerShell?

When you add EEEU to a site membership (owners, members, or visitors), the entire content of the site becomes public and more prone to oversharing. Run the following PowerShell command to trigger the report to capture such sites in the last 28 days for SharePoint sites:

Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"

How do I identify items shared with Everyone except external users in last 28 days with PowerShell?

Run the following PowerShell command to trigger the report to capture specific items (files/folders/lists) that were shared with EEEU in the last 28 days for SharePoint sites:

Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"

Note

Replace the workload value with 'OneDriveForBusiness' to get items shared with Everyone except external users for all OneDrive accounts with the same criteria.

How do I manage data collection for recent activity based reports?

Important

If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for recent activity based reports so that relevant audit data is collected to build the report. After you enable it, you can generate the report 24 hours later, and it will contain data from the point of collection. Data is stored for 28 days. If you don't generate reports even once in three months, data collection is paused and you must enable it again.

How do I enable data collection for recent activity based reports?

This PowerShell command starts collecting audit data for reports on activities from the last 28 days.

Start-SPOAuditDataCollectionForActivityInsights -ReportEntity SharingLinks_Anyone

The applicable values for the ReportEntity parameter are SharingLinksAnyone, SharingLinksPeopleInYourOrg, SharingLinksGuests, EveryoneExceptExternalUsersAtSite, EveryoneExceptExternalUsersForItems, CopilotAppInsights

How do I disable data collection for recent activity based reports?

This PowerShell command stops collecting audit data for reports on activities from the last 28 days.

Stop-SPOAuditDataCollectionForActivityInsights -ReportEntity SharingLinks_Anyone

How do I check the data collection status for recent activity based reports?

Once data collection is enabled, the reports can be generated after 24 hours. To check whether reports can be generated, use the PowerShell command Get-SPOAuditDataCollectionStatusForActivityInsights. The command returns the current data collection status, which can be NotInitiated, InProgress, or Paused. Reports can be generated when the status is InProgress.

Get-SPOAuditDataCollectionStatusForActivityInsights -ReportEntity SharingLinks_Anyone

How do I track reports using PowerShell?

Important

All report creations result in a GUID as an output that can be used to track report status.

Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret

ReportId                             Status
--------                             ------
a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 NotStarted

Use the Get-SPODataAccessGovernanceInsight command to retrieve the current status of a specific Data access governance report using the report ID.

Get-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

ReportId          : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
ReportEntity      : SharingLinks_Anyone
Status            : InQueue
Workload          : SharePoint
TriggeredDateTime : 11/13/2024 19:32:34
CreatedDateTime   : 11/13/2024 20:09:23
ReportStartTime   : 10/17/2024 19:32:33
ReportEndTime     : 11/13/2024 19:32:33
ReportType        : RecentActivity
SitesFound        : 120

The ReportStartTime and ReportEndTime indicate the period of data to generate the report. The status is marked as Completed when the report generation is complete.

You can also view the current status of DAG reports by using the filter ReportEntity instead of ID. The reportID is listed in the output and is required later to download a specific report.

Get-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers

ReportId             : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
ReportName           : PermissionReportFor1AsOfSept
ReportEntity         : PermissionedUsers
Status               : Completed
Workload             : SharePoint
TriggeredDateTime    : 09/18/2024 11:06:16
CreatedDateTime      : 09/22/2024 12:12:48
ReportType           : Snapshot
CountOfUsersMoreThan : 1
CountOfSitesInReport : 7
CountOfSitesInTenant : 22
Privacy              : All
Sensitivity          : {All}
Templates            : {All}

ReportId             : b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2
ReportName           : PermissionReportFor1AsOfOct
ReportEntity         : PermissionedUsers
Status               : Completed
Workload             : SharePoint
TriggeredDateTime    : 10/09/2024 14:15:40
CreatedDateTime      : 10/09/2024 15:18:23
ReportType           : Snapshot
CountOfUsersMoreThan : 100
CountOfSitesInReport : 0
CountOfSitesInTenant : 26
Privacy              : All
Sensitivity          : {All}
Templates            : {All}

How do I view and download reports using PowerShell?

To download a specific report, you need the reportID. Retrieve the reportID using the Get-SPODataAccessGovernanceInsight command and use the Export-SPODataAccessGovernanceInsight command to download the report to a specified path.

Export-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -DownloadPath "C:\Users\TestUser\Documents\DAGReports"

This command downloads a CSV file to the specified path. Details of the CSV/view for each report are available in How to access the Data access governance reports in the SharePoint admin center.

Note

The default download path is the Downloads folder.

How do I perform remedial actions using PowerShell?

After you generate data access governance reports, you can perform remedial actions as described in Remedial actions from Data access governance reports. The following section describes PowerShell commands to trigger and track 'site access review' as a remedial action.

How do I initiate Site access review using PowerShell?

Use the Start-SPOSiteReview command to initiate a site access review for a specific site, listed under a data access governance report. The data access governance report provides the context under which you should initiate the review. Retrieve the report ID and site ID from the CSV file and provide comments to give clarity to the site owner regarding the purpose of the review.

Start-SPOSiteReview -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -SiteID c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3 -Comment "Check for org wide access"

ReviewId                : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId                  : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 13-11-2024 20:55:41
ReportEntity            : PermissionedUsers
Status                  : Pending
AdminComment            : Check for org wide access
SiteName                : All Company

This command generates emails to site owner as described in How to initiate a site access review.

How do I track Site access reviews using PowerShell?

Use Start-SPOSiteReview command to track the status of site access reviews. For specific reviews, you can use the ReviewID value as shown in the output. To retrieve all review related to a reporting module, use the ReportEntity parameter.

Get-SPOSiteReview -ReportEntity PermissionedUsers

ReviewId                : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId                  : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 13-11-2024 20:55:41
ReviewCompletedDateTime :
ReportCreatedDateTime   : 13-11-2024 23:25:41
ReportEndDateTime       : 13-11-2024 23:25:41
ReportEntity            : PermissionedUsers
Status                  : Pending
AdminComment            : Check for org wide access
SiteName                : All Company
ReviewerEmail           :
ReviewerComment         :

ReviewId                : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId                  : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 24-10-2024 11:07:39
ReviewCompletedDateTime : 15-11-2024 11:07:39
ReportCreatedDateTime   : 15-10-2024 09:24:47
ReportEndDateTime       : 15-10-2024 11:39:52
ReportEntity            : PermissionedUsers
Status                  : Completed
AdminComment            : Check for org wide access
SiteName                : All Company
ReviewerEmail           : Jon@contosofinance.com
ReviewerComment         : Removed EEEU for sensitive documents