How to Audit Access to a SharePoint File
Auditing isn’t just for compliance — it’s how you spot the slow, silent accumulation of access that nobody intended. Done regularly, it’s quick. Done never, it’s a disaster waiting to happen.
What it is
An access audit is a deliberate review of who can see, edit, or control a file or library. It’s not the same as casually checking ‘Manage access’ once — it’s a structured review with specific questions: who has access, why do they have it, is it still appropriate, what’s the risk if it’s wrong?
For high-risk content (HR files, financial reports, strategic plans, anything regulated), audits should be regular and documented. For everyday team work, a lighter quarterly review is enough. For most personal OneDrive content, an annual sweep handles it.
The tools are mostly already there: Manage access on individual files, sharing reports for tenant-wide visibility (admin-only), and the ‘Shared by me’ view in OneDrive for personal sharing. What’s needed is the discipline to actually use them.
When to use this
- Regular reviews of high-sensitivity content (HR, finance, legal).
- Quarterly cleanup of personal sharing.
- After security incidents or near-misses.
- When migrating, restructuring, or transitioning content ownership.
How to do it
- Identify what you’re auditing — single file, library, site, or your personal sharing.
- Open Manage access on the relevant items.
- List every person, group, and link.
- For each: confirm purpose, current need, and appropriate permission level.
- Remove anything no longer needed.
- Adjust permission levels where current grants are too broad.
- Document the audit (date, what changed, who reviewed).
- Schedule the next audit.
Best practices
- Audit on a schedule, not just when there’s a problem. Regular small audits beat occasional big ones.
- Document the audit. ‘Reviewed and confirmed appropriate’ is a useful audit trail.
- Focus on broad access first. Anonymous links and organisation-wide shares carry more risk than individual permissions.
- Involve content owners. The person who created the content knows whether access is still appropriate.
Common mistakes
- Auditing only after something goes wrong. By then, the damage is done.
- Treating audit as a one-off. Sharing accumulates again. Schedule recurring reviews.
- Auditing without authority to change. If you find a problem but can’t fix it, the audit produced anxiety, not improvement.
The Copilot Readiness Guide gives you the 25-question scorecard, the 4-category risk audit, and the 30-day plan to fix permissions, content quality, and sensitive content before go-live.
Get the Copilot Readiness Guide — $39 →FAQ
How do I audit who has accessed a SharePoint file?
Open the file’s Activity pane for recent access (last 60 days). For full audit history, go to Microsoft Purview → Audit and search for the file URL — this returns every view, edit, download, and share for the entire retention period (90 days standard, longer with E5 licensing).
What’s the difference between Manage Access and audit log in SharePoint?
Manage Access shows who currently has access to a file. Audit log shows what people actually did with that access (viewed, downloaded, shared, modified). Use Manage Access to plan or revoke access; use the audit log to investigate incidents or build compliance reports.
Why is auditing access important before turning on Copilot?
Because Copilot honours SharePoint permissions exactly — every file a user can access, Copilot can surface to them. If your library has files with overly broad sharing (‘Anyone with the link’, ‘Everyone’), Copilot will pull those into responses for users who shouldn’t see them. Audit first, fix the gaps, then turn Copilot on.
How long are SharePoint audit logs kept?
90 days by default for most Microsoft 365 plans, up to 365 days with E5 licensing or Purview Audit (Premium). Logs older than this aren’t recoverable through standard tools — if you need long-term audit history for compliance, configure retention policies in Purview and confirm export to a SIEM if your industry requires it.