Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
While Data access governance is available in SharePoint admin center portal, large organizations usually look for PowerShell support in order to manage scale via scripting and automation. This article describes how to use the SharePoint Online PowerShell module to manage Data access governance reports.
Important
- PowerShell support for Data access governance is available from module "Microsoft.Online.SharePoint.PowerShell" and version "16.0.25409" onwards.
- Run the Connect-SPOService command without the Credential parameter. We don't support sign-in using the Credential parameter inline with the latest security practices.
What do I need to create a data access governance report?
What are the license requirements?
Your organization needs to have the right license and meet certain administrative permissions or roles to use the feature described in this article.
First, your organization must have one of the following base licenses:
- Office 365 E3, E5, or A5
- Microsoft 365 E1, E3, E5, or A5
Additionally, you need at least one of these licenses:
- Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license (this user doesn't need to be a SharePoint administrator).
- Microsoft SharePoint Advanced Management license: Available as a standalone purchase.
Administrator requirements
You must be a SharePoint administrator or have equivalent permissions.
Additional information
If your organization has a Copilot license and at least one person in your organization is assigned a Copilot license, SharePoint administrators automatically gain access to the SharePoint Advanced Management features needed for Copilot deployment.
For organizations without a Copilot license, you can use SharePoint Advanced Management features by purchasing a standalone SharePoint Advanced Management license.
What do I need to have before I start?
You must be a SharePoint Administrator or have equivalent permissions in Microsoft 365 to run the PowerShell admin scripts.
Before you use the PowerShell scripts in this article, you need to do the following steps:
If you haven't, download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."
Connect to SharePoint as a SharePoint Administrator or with equivalent permissions in Microsoft 365 in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.
How do I create all reports using PowerShell?
Use the Start-SPODataAccessGovernanceInsight command to generate all reports with appropriate filters and parameters
How do I generate a site permission state report with PowerShell?
You must understand the permissions setup in your organization, particularly in the wake of Copilot adoption, as it respects user and content permissions. Copilot's data exposure risk increases with the number of users having permissions/access. This report provides deep insights into the 'exposure' (the unique number of users having permissions) of every SharePoint and OneDrive site in your organization.
We recommend that you run this report first to get a quick overview of permissions in your organization.
This report is a 'snapshot' report. It provides the latest snapshot/status of the entire organization as of the report generation date.
To generate a report for all your SharePoint sites, run the following command:
Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload SharePoint -CountOfUsersMoreThan 0 -Name "OrgWidePermissionedUsersReportSharePoint"
To generate a report for all your OneDrive for business accounts, run the following command:
Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload OneDriveForBusiness -CountOfUsersMoreThan 0 -Name "OrgWidePermissionedUsersReportODB"
Review the following important information about the report runs.
- Since these reports are comprehensive and are likely to cover all data in your tenant, the maximum number of reports that are allowed are 2; one per workload.
- The first report always takes upto five days to complete, irrespective of the size of the organization. Subsequent reports complete within 24 hours.
- These reports capture data upto 48 hours before the report generation.
- Once generated, they can be run again once every 30 days.
These commands generate a list of all sites where at least one user can access any content within the site. More information about the list of sites and how to interpret the results is provided here.
Once you understand the extent of oversharing in your tenant, you can track further deviations specifically from active sites in last 28 days. You can generate reports on sites that are active in key factors of potential oversharing such as 'Sharing links' or content shared with 'Everyone except external users', in the last 28 days.
How do I generate a sensitivity label in files report with PowerShell?
Run this PowerShell command to trigger the report to list sites where specific items were labeled with a given 'label', as of the report generation date.
First, retrieve the label name or label GUID using the "Security and compliance" PowerShell module.
Get-Label | Format-Table -Property DisplayName, Name, GUID, ContentType
Then, use the Name AND GUID to retrieve sites with files labeled with the given label name or GUID.
Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret
Note
Currently, the report for 'OneDriveForBusiness' accounts with labeled files isn't supported.
How do I generate sharing link activity reports using PowerShell?
You can use sharing link activity reports to identify sites that are active in collaboration and need quicker intervention to mitigate any potential oversharing risk. These 'RecentActivity' based reports identify sites that are generating the most number of sharing links in the last 28 days.
You can generate the following sharing link activity reports:
- Sites that created 'Anyone' sharing links in the last 28 days
- Sites that created 'People in your organization' sharing links in the last 28 days
- Sites that created 'Specific people' (guests) sharing links in the last 28 days
Important
If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for 'RecentActivity' based reports so that the product starts to collect the relevant audit data to build this report. After you enable it, the data is collected and stored for 28 days. You can generate the reports 24 hours later, and they contain data from the point of collection. If you don't generate reports even once in three months, data collection is paused and you must enable it again. To enable data collection for these reports, see How do I manage data collection for recent activity based reports?.
How do I report on Anyone sharing links created in last 28 days with PowerShell?
Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Anyone -Workload SharePoint -ReportType RecentActivity
Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.
How do I report on PeopleInYourOrg sharing links created in the last 28 days?
Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_PeopleInYourOrg -Workload SharePoint -ReportType RecentActivity
Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.
How do I report on specific people (guests) sharing links created in the last 28 days?
Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Guests -Workload SharePoint -ReportType RecentActivity
Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.
How do I identify content shared with Everyone except external users in last 28 days with PowerShell?
While Sharing links are one possible contributor for potential oversharing, another key contributor is 'Everyone except external users' (EEEU). EEEU makes content 'public' (visible to the entire organization) and makes it easy for others to discover content and get access. These reports identify sites that actively used EEEU at various scopes in the last 28 days.
You can generate the following EEEU activity reports:
- Sites shared with Everyone except external users in last 28 days
- Items shared with Everyone except external users in last 28 days
Important
Currently EEEU report for OneDriveForBusiness only supports the item level. EEEU report for OneDriveForBusiness at the site level isn't supported. If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for 'RecentActivity' based reports so that the product starts to collect the relevant audit data to build this report. After you enable it, the data is collected and stored for 28 days. You can generate the reports 24 hours later, and they contain data from the point of collection. If you don't generate reports even once in three months, data collection is paused and you must enable it again. To enable data collection for these reports, see How do I manage data collection for recent activity based reports?.
How do I identify sites shared with Everyone except external users in last 28 days with PowerShell?
When you add EEEU to a site membership (owners, members, or visitors), the entire content of the site becomes public and more prone to oversharing. Run the following PowerShell command to trigger the report to capture such sites in the last 28 days for SharePoint sites:
Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"
How do I identify items shared with Everyone except external users in last 28 days with PowerShell?
Run the following PowerShell command to trigger the report to capture specific items (files/folders/lists) that were shared with EEEU in the last 28 days for SharePoint sites:
Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"
Note
Replace the workload value with 'OneDriveForBusiness' to get items shared with Everyone except external users for all OneDrive accounts with the same criteria.
How do I manage data collection for recent activity based reports?
Important
If you don't have a Microsoft SharePoint Advanced Management license, you must enable data collection for 'RecentActivity' based reports so that the product starts to collect the relevant audit data to build this report. After you enable it, you can generate the reports 24 hours later, and they contain data from the point of collection. Data is stored for 28 days. If you don't generate reports even once in three months, data collection is paused and you must enable it again.
How do I enable data collection for recent activity based reports?
This PowerShell command starts collecting audit data for reports on activities from the last 28 days.
Start-SPOAuditDataCollectionForActivityInsights -ReportEntity SharingLinks_Anyone
The applicable values for the ReportEntity parameter are SharingLinksAnyone, SharingLinksPeopleInYourOrg, SharingLinksGuests, EveryoneExceptExternalUsersAtSite, EveryoneExceptExternalUsersForItems, CopilotAppInsights
How do I disable data collection for recent activity based reports?
This PowerShell command stops collecting audit data for reports on activities from the last 28 days.
Stop-SPOAuditDataCollectionForActivityInsights -ReportEntity SharingLinks_Anyone
How do I check the data collection status for recent activity based reports?
Once data collection is enabled, the reports can be generated after 24 hours. To check whether reports can be generated, use the PowerShell command Get-SPOAuditDataCollectionStatusForActivityInsights. The command returns the current data collection status, which can be NotInitiated, InProgress, or Paused. Reports can be generated when the status is InProgress.
Get-SPOAuditDataCollectionStatusForActivityInsights -ReportEntity SharingLinks_Anyone
How do I track reports using PowerShell?
Important
All report creations result in a GUID as output that could be used to track the report status.
Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret
ReportId Status
-------- ------
a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 NotStarted
Use the Get-SPODataAccessGovernanceInsight command to retrieve the current status of a specific Data access governance report using the report ID.
Get-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
ReportId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
ReportEntity : SharingLinks_Anyone
Status : InQueue
Workload : SharePoint
TriggeredDateTime : 11/13/2024 19:32:34
CreatedDateTime : 11/13/2024 20:09:23
ReportStartTime : 10/17/2024 19:32:33
ReportEndTime : 11/13/2024 19:32:33
ReportType : RecentActivity
SitesFound : 120
The ReportStartTime and ReportEndTime indicate the period of data to generate the report. The status is marked as 'Completed' when the report generation is complete.
You can also view the current status of DAG reports by using the filter ReportEntity instead of ID. The reportID is listed in the output and is required later to download a specific report.
Get-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers
ReportId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
ReportName : PermissionReportFor1AsOfSept
ReportEntity : PermissionedUsers
Status : Completed
Workload : SharePoint
TriggeredDateTime : 09/18/2024 11:06:16
CreatedDateTime : 09/22/2024 12:12:48
ReportType : Snapshot
CountOfUsersMoreThan : 1
CountOfSitesInReport : 7
CountOfSitesInTenant : 22
Privacy : All
Sensitivity : {All}
Templates : {All}
ReportId : b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2
ReportName : PermissionReportFor1AsOfOct
ReportEntity : PermissionedUsers
Status : Completed
Workload : SharePoint
TriggeredDateTime : 10/09/2024 14:15:40
CreatedDateTime : 10/09/2024 15:18:23
ReportType : Snapshot
CountOfUsersMoreThan : 100
CountOfSitesInReport : 0
CountOfSitesInTenant : 26
Privacy : All
Sensitivity : {All}
Templates : {All}
How do I view and download reports using PowerShell?
To download a specific report, you need the reportID. Retrieve the reportID using the Get-SPODataAccessGovernanceInsight command and use the Export-SPODataAccessGovernanceInsight command to download the report to a specified path.
Export-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -DownloadPath "C:\Users\TestUser\Documents\DAGReports"
This downloads a CSV file to the specified path. Details of the CSV/view for each report are discussed here.
Note
The default download path is the 'Downloads' folder.
How do I perform remedial actions using PowerShell?
After you generate Data access governance reports, you can perform remedial actions as described in Remedial actions from Data access governance reports. The following section describes PowerShell commands to trigger and track 'site access review' as a remedial action.
How do I initiate Site access review using PowerShell?
Use the Start-SPOSiteReview command to initiate a site access review for a specific site, listed under a Data access governance report. The Data access governance report provides the context under which you should initiate the review. Retrieve the reportID and site ID from the CSV file and provide comments to give clarity to the site owner regarding the purpose of the review.
Start-SPOSiteReview -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -SiteID c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3 -Comment "Check for org wide access"
ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 13-11-2024 20:55:41
ReportEntity : PermissionedUsers
Status : Pending
AdminComment : Check for org wide access
SiteName : All Company
This triggers emails to site owner as described here.
How do I track Site access reviews using PowerShell?
Use Start-SPOSiteReview command to track the status of site access reviews. For specific reviews, you can use the ReviewID value as shown in the output. To retrieve all review related to a reporting module, use the ReportEntity parameter.
Get-SPOSiteReview -ReportEntity PermissionedUsers
ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 13-11-2024 20:55:41
ReviewCompletedDateTime :
ReportCreatedDateTime : 13-11-2024 23:25:41
ReportEndDateTime : 13-11-2024 23:25:41
ReportEntity : PermissionedUsers
Status : Pending
AdminComment : Check for org wide access
SiteName : All Company
ReviewerEmail :
ReviewerComment :
ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1
SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
ReviewInitiatedDateTime : 24-10-2024 11:07:39
ReviewCompletedDateTime : 15-11-2024 11:07:39
ReportCreatedDateTime : 15-10-2024 09:24:47
ReportEndDateTime : 15-10-2024 11:39:52
ReportEntity : PermissionedUsers
Status : Completed
AdminComment : Check for org wide access
SiteName : All Company
ReviewerEmail : Jon@contosofinance.com
ReviewerComment : Removed EEEU for sensitive documents