Englisch + German / English / Microsoft 365 / Microsoft Purview

How to identify who disabled offline sync in a SharePoint Site Collection?

11. September 2025

Usually, users can sync document libraries from a SharePoint site, unless syncing is disabled tenant-wide — in that case, users still can create OneDrive shortcuts (which are also synced).
But suddenly, the OneDrive sync client may display a message that an admin has restricted the sync configuration.

We can’t sync …. due to admin restricting offline access.

Offline sync is restricted
Offline sync is restricted

But no SharePoint admin actually changed the configuration.
Now site owners are asking: Who changed the sync settings on my site, and why did it happen yesterday?

There are two possible settings that may have been changed by an unknown account:

  • First, disable offline sync for the document library (Library settings > Advanced settings).
Offline sync settings in the document library
Offline sync settings in the document library
  • Second, disable offline client availability for the site (Site settings > Search and offline availability). This setting overrides all library-level offline sync configurations.
Offline client availability for the SharePoint site
Offline client availability for the SharePoint site

Someone changed one of these settings, or both of them. But who?


The Purview Audit Logs can provide hints.

  • Note that SharePoint does not directly audit the setting change itself. You can filter for related activities.
  • You might not get a 100% match, but you’ll have enough direction to question the right site owner.

As I often recommend, building your audit query with PowerShell and Microsoft Graph is faster and more flexible. You can also use the Audit Logs in the Purview admin portal.

  1. Connect to Microsoft Graph with the scope AuditLogsQuery-SharePoint.Read.All.
PowerShell
Import-Module Microsoft.Graph.Authentication
Connect-MgGraph -Scopes AuditLogsQuery-SharePoint.Read.All

  1. Define your affected SharePoint site.
    I’m using the last two days in my sample. Replace the value as needed.
PowerShell
$SPOSiteUrl = "<SiteUrl>/*" # Replace only <SiteUrl>, keep /* at the end or the query will return no results
$DocumentLibraryName = "<DocumentLibraryName>"

$StartDate = (Get-Date).AddDays(-2).ToString("yyyy-MM-ddT00:00:00Z")
$EndDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")

$Body = 
@"
{
    "displayName": "MSGraphAuditlogQuery-OfflineSync-1",
    "filterStartDateTime": "$StartDate",
    "filterEndDateTime": "$EndDate",
    "serviceFilters": ["SharePoint"],    
    "objectIdFilters": [
    "$SPOSiteUrl"
    ]
  }
"@

$Url = "https://graph.microsoft.com/beta/security/auditLog/queries"
$AuditLogNewQuery = Invoke-MgGraphRequest -Method POST -Uri $Url -Body $Body -ContentType "application/json"
$AuditLogNewQuery

  1. Wait until the audit job is finished.
PowerShell
$AuditLogNewQueryID = $AuditLogNewQuery.id
$Url = "https://graph.microsoft.com/beta/security/auditLog/queries/$AuditLogNewQueryID"
$AuditLogNewQueryResult = Invoke-MgGraphRequest -Method Get -Uri $Url -ContentType "application/json"
$AuditLogNewQueryResult | select displayName,filterStartDateTime,filterEndDateTime,status,id

PowerShell

  1. Get the results. My sample includes paging to ensure all audit records are retrieved.
PowerShell
# Get the results of the search job (paging included)
$Url = "https://graph.microsoft.com/beta/security/auditLog/queries/$AuditLogNewQueryID/records?`$top=1000"
$AuditLogNewQueryResultRecords = @()

While ( $null -ne $Url ) {
    $data = Invoke-MgGraphRequest -Method GET -Uri $Url -ContentType "application/json" 
    $AuditLogNewQueryResultRecords += $data.Value         
    $Url = $data.'@Odata.NextLink'
}

  1. Filter for two relevant operations.

For offline sync in a document library

SharePoint audits a ListUpdated operation if someone changes offline sync in the library. In the best case, you get just one record and know who may have changed the setting.

PowerShell
$ListUpdate = $AuditLogNewQueryResultRecords | ?{$_.Operation -eq "ListUpdated" -and $_.auditData.ListName -eq $DocumentLibraryName }
$ListUpdate | select operation,userPrincipalName,createdDateTime,objectId | fl

PowerShell

For offline client availability on the site

SharePoint audits only that the person visited the page if someone changes the offline client availability at the site level. This will always be a site owner or admin, which is at least a strong indicator of who changed it.
Filter for the operation PageViewed and the object name srchvis.aspx (the page used to change offline client availability).

PowerShell
$PageView = $AuditLogNewQueryResultRecords | ?{$_.Operation -eq "PageViewed" -and $_.objectId -like "*_layouts/15/srchvis.aspx" }
$PageView | select operation,userPrincipalName,createdDateTime,objectId | fl

PowerShell

You now have at least some information about the accounts that may have changed the setting unintentionally. If you ask these users, they usually remember the situation and can explain it.

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *