Weekly OneDrive sharing audit posted to Microsoft Teams

PromptCreate workflow

I want a weekly OneDrive over-sharing audit that posts a triage-ready report to Microsoft Teams. Build it as an agent workflow because the severity calls require judgement, not hardcoded rules.

Trigger: cron, every Monday at 8am in my local timezone.

Inputs the workflow should expose so I can configure it without editing instructions:

1. sensitive_paths: a list of top-level OneDrive folder paths to audit, defaulting to /Clients, /Finance, /Legal, /HR. 2. high_risk_keywords: substrings in a file or folder path that bump severity, defaulting to Contracts, Payroll, MSA, NDA, board, salary, offer-letter, tax. 3. internal_only_paths: paths where any external-tenant invitation should be flagged, defaulting to /HR and /Finance. 4. teams_team_id and teams_channel_id: where the weekly report should be posted. 5. lookback_mode: either delta (only items changed in the last 7 days) or full (walk every file). Default to delta on weeks 1-3 of a month and full on the first run of the month.

Steps the agent should follow on each run:

Step 1. Enumerate files. If lookback_mode is delta, use Microsoft OneDrive Track Changes (Delta) seeded from the stored delta token (or now-7d on first run) to get every driveItem that was created or modified in the last week under the configured sensitive_paths. If lookback_mode is full, walk each sensitive_path with Microsoft OneDrive List Children recursively. Use Get Item Metadata when you need the full path, web URL, or owner of an item the delta response doesn't fully populate.

Step 2. For every file (skip folders themselves, but include files inside flagged folders), call Microsoft OneDrive List Permissions. Ignore inherited permissions that came from a parent the audit also flags (so you don't double-count). For each remaining non-inherited permission, evaluate severity:

Critical: anonymous link (anyone-with-link) with write or edit access on any sensitive_path, OR any anonymous link on a file whose path contains a high_risk_keyword. High: anonymous link with view access on any sensitive_path. Medium: external-tenant invitation (a permission granted to a user outside our organization's tenant) on a file whose path is in internal_only_paths. Low: external-tenant view-only invitation on other sensitive_paths. Skip: internal-tenant permissions, inherited-from-parent permissions, and the file owner themselves.

Use judgement when the rules are ambiguous. A public link on a clearly public marketing PDF (filename suggests brochure, one-pager, press, public) is fine and should be downgraded to Skip even if it sits under a sensitive_path. A public link on anything that reads like a contract, MSA, NDA, payroll register, cap table, board doc, or customer PII export should always be Critical, regardless of where it lives.

Step 3. Group findings by severity (Critical, High, Medium, Low). For each finding capture: file path, file name, web URL (the OneDrive web link), link type (anonymous view, anonymous edit, external invitation, etc.), who granted the permission if visible, when it was granted, and a one-sentence reason this was flagged at this severity.

Step 4. Send exactly one Microsoft Teams Create Channel Message to teams_team_id / teams_channel_id. The message should lead with a one-line headline ("OneDrive sharing audit — 3 critical, 7 high, 12 medium"), then a bulleted list of the Critical findings with file name, path, link type, and a clickable web URL, then collapsed sections for High and Medium with the same fields, then a single-line footer with the audit window ("covers changes since last Monday 8am") and total files scanned. Keep it under ~30 line items in the visible portion. If there are more, link to a follow-up message thread and post the rest as replies.

Step 5. If there are zero non-Low findings, still post a short confirmation message so we know the audit ran ("OneDrive sharing audit — all clear across N files"). Silence is a bug, not a feature.

Default to report-only. Do not call any Delete Permission operation in this version. If I later ask for auto-revoke, gate it behind a separate severity threshold and a dry-run flag.

Operations to wire up: microsoft-onedrive.track_changes_delta, microsoft-onedrive.list_children, microsoft-onedrive.list_permissions, microsoft-onedrive.get_item_metadata, microsoft-teams.create_channel_message.

Additional information

What does this prompt do?

Walks the OneDrive folders you flag as sensitive (Clients, Finance, Legal, HR, and so on) and checks how every file inside them is being shared.
Calls out the riskiest links first: anyone-with-link access, public links with edit rights, and outside-company invitations on files that should be internal.
Uses judgement, not just rules. A public link on a marketing brochure stays quiet, the same link on a master services agreement gets escalated.
Posts a single tidy report to your security or IT channel in Microsoft Teams every Monday morning, with file paths, who shared each one, and direct links so you can close the holes the same day.

What do I need to use this?

A Microsoft 365 account with access to the OneDrive folders you want audited.
A Microsoft Teams workspace with a channel where the weekly report should land (a security, IT, or compliance channel works well).
A short list of the top-level folder paths you treat as sensitive, plus any keywords that should bump severity (Contracts, Payroll, MSA, board, etc.).

How can I customize it?

Change the schedule. Default is every Monday at 8am, but daily, weekly, or month-end runs all work.
Edit the list of sensitive folders and keywords so the audit matches how your team actually labels confidential work.
Swap the destination channel, or have it post a short summary to a leadership channel and a detailed report to the security channel.

Frequently asked questions

Will this delete or change any sharing links?

No. By default the audit is read only. It reports what it finds and lets a human decide what to revoke. You can ask for an auto-revoke mode later if you want it to clean up the worst offenders on its own.

How does it decide what counts as risky?

It looks at where the file lives and how it's shared. A public link on a folder called Contracts or Payroll is treated as high risk. A public link with edit rights is treated as critical. An outside-company invitation on an internal-only path is medium. You can tell it which folder names and keywords to weight more heavily.

Does it scan every file every week?

It can. To keep things fast on large drives it can also focus on files that were created or had their sharing changed in the last 7 days, then do a full sweep on a slower cadence.

Where does the report show up?

In whichever Microsoft Teams channel you pick. The report groups findings by severity, includes the file path, who shared it, the link type, and a direct OneDrive link so reviewers can open and fix each one in a click.

Can I run this against shared drives or only my personal OneDrive?

Yes. It can audit personal OneDrive content and any team folders you have access to. Just list the top-level paths you want included when you set it up.

Stop letting "anyone with the link" walk out the door.

Connect OneDrive and Microsoft Teams once, and get a triage-ready over-sharing report in your security channel every Monday at 8am.

Explore more prompts Create workflow