🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
SharePoint Online

How to Find Who Deleted the Files from Microsoft 365

Have you ever found yourself in a risky situation where all your important documents or a considerable number of files just vanished from your OneDrive or SharePoint Library? Isn’t it frustrating? Even worse is not knowing who deleted them, leaving you helpless. This guide will help you identify all the users who deleted the files from Microsoft 365.

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
Global Admin or any other privileged admin role.
  • Navigate to the Audit section.
  • Select the Start and End date and time range.
  • Apply filter for the following operations in the Activities - friendly names field.

    Deleted file, Recycled file, Deleted file from recycle bin, Deleted file from second-stage recycle bin

  • Hit the Search button to initiate the search.
    m365-pur-audit
  • Once the search is completed, use the Export option to download the file deletion audit log report for offline access.
Using Microsoft Purview Compliance Portal

Using Windows PowerShell

Microsoft 365 Permission Required
Global Admin or any other privileged admin role.
  • Connect to Exchange Online PowerShell, using the below cmdlet.
  • Windows PowerShell Windows PowerShell
     Connect-ExchangeOnline
  • Execute the following cmdlet to identify the user who deleted the Microsoft 365 files.
  • Windows PowerShell Windows PowerShell
     Search-UnifiedAuditLog -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Operations FileDeleted, FileRecycled, FileDeletedFirstStageRecycleBin, FileDeletedSecondStageRecycleBin | Format-Table -Property RecordType, CreationDate, UserIds, Operations 
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Global Admin or any other privileged admin role.
  • The cmdlet above detects deleted files in your Microsoft 365 environment, but it requires multiple filters and cmdlets to obtain specific results.
  • To simplify this process, we've written a PowerShell script that effortlessly exports file deletion activity reports from Microsoft 365.
  • The built-in filtering settings enable you to produce an audit report with more detail.
Using PowerShell Script
AuditFileDeletion.ps1

Simplify SharePoint security and compliance with AdminDroid's automated audit reports!

The AdminDroid’s SharePoint auditing tool is the ultimate solution for analyzing all SharePoint Online and OneDrive for Business activities. Our cutting-edge tool provides in-depth reports covering every aspect of Microsoft 365, empowering you to confidently make informed decisions. Moreover, you can easily delegate access permissions to authorized users, ensuring that your data is always safe and secure.

Robust Export Capabilities in 6 Popular File Formats!

Get the ability to easily export data on file deletions in six popular file formats (CSV, HTML, XLS, XLSX, PDF, and RAW), guaranteeing flexibility and ease of use while handling data.

Simplify SharePoint Online Folders and Pages Audit

Transform your SharePoint Online experience with AdminDroid's powerful analytics, providing both high-level and detailed Insights on SharePoint Online folders and pages.

File Safety and DLP Auditing in SharePoint Online

Audit both the SharePoint Online file activities and DLP actions, such as rule matches, rule undoes, etc., together under one roof. These reports are not just tables! Every report ramped up with AI-powered graphs.

Grant Precise Report Access with Granular Delegation!

Delegate admins using the built-in SharePoint Administrator role in AdminDroid to ensure they only access SharePoint information. This granular accessing streamlines SharePoint management without exposing other sensitive data.

Unveil the Impact of External Users

Zoom in on external user actions with the File/Folder Accessed by External Users report. Easily filter deletions with one click to see who deleted, what was deleted, and when it was deleted.

Schedule Reports at Your Convenience!

Schedule reports to run at your convenience, ensuring timely delivery of vital data like deleted file details directly to your inbox and local storage.

Overall, AdminDroid provides powerful features that empower you to efficiently track file deletion activities in Microsoft 365. You can also monitor all file sharing activities, files shared to external users, files shared by external users, file access, file version changing, and file restoration reports ensuring control over the users in your Office 365 environment.

Explore a full range of reporting options

Important Tips

Cross-referencing file deletion patterns with users' sign-in activities can help identify anomalies that may indicate a compromised account or unauthorized access.

Prevent accidental file deletion by implementing DLP policies, and generate alerts for deletion attempts for further investigation.

Create M365 backups for SharePoint sites to safeguard data against unforeseen disasters.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when dealing with tracking file deletions.

Error Search duration is too long. Please select a date range of less than 6 months.

This error will occur in the AuditLog search of Purview Compliance if the selected date and time range exceed the limit.

Fix In Microsoft Purview Audit (Standard), logs can only be retained for a maximum of 180 days. So, you need to give a time range within this period.

Error No Data is returned in the result of the Audit search.

This error will occur in both the PowerShell and Compliance Center AuditLog search if the Audit search is not enabled.

Fix In Microsoft Purview Audit, you should enable Audit Search by clicking Start recording user and admin activity or if you’re using PowerShell then you need to enable it by using this cmdlet.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Error Connect-ExchangeOnline: The term ‘Connect-ExchangeOnline’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error will occur when you don’t have the ExchangeOnline module installed in the PowerShell Environment.

Fix Use the cmdlet below to install the ExchangeOnlineManagement module.
Install-Module ExchangeOnlineManagement -Force

Error This library inherits permissions from its parent.

This error will occur in the Permissions tab on the SharePoint site when you attempt to assign custom permission levels to users.

Fix To resolve this error you need to stop inheritance permission by clicking the Stop Inheriting Permissions option near the top left corner.

Frequently Asked Questions

Identify Potential Threats and Mitigate Risks by Uncovering Who Deleted the Files in M365

How to manage deleted files in recycle bin?

How to manage deleted files in recycle bin? +

Accidental file deletions are common in collaborative workspaces. Fortunately, accessing the recycle bin simplifies file recovery, eliminating the need for complex data retrieval processes. This prevents permanent data loss caused by human error, ensuring smooth operations and maintaining data integrity. SharePoint's recycle bin offers a straightforward process for recovering deleted files, providing a safety net that supports ongoing productivity and secures essential information.

Understand the Recycle Bin Stages

In Microsoft 365, the recycle bin has two stages for managing deleted files, with a total retention period of 93 days across both stages:

  • First-stage recycle bin: When a file is deleted, it goes to the first stage recycle bin (site recycle bin), where it remains for 93 days.
  • Second-stage recycle bin: If a file is deleted from the first-stage recycle bin, it moves to the second-stage recycle bin (site collection recycle bin), ensuring that deleted files are retained for a maximum of 93 days, regardless of their location.

Manage Recycle Bins

Effective recycle bin management is essential for maintaining a clutter-free digital environment. This involves key operations such as accessing the recycle bin, restoring files to their original locations, and ensuring the permanent deletion of unnecessary files.

How to Access Files from the Recycle Bin?

  • From the desired SharePoint site, navigate to Settings»Site Contents»Recycle Bin. For OneDrive, you can easily find it from the main menu.
  • In either SharePoint Online or OneDrive's recycle bin, locate the Second-stage recycle bin link at the bottom.
recyclebin

How to Restore Files from the Recycle Bin?

  • From the site's recycle bin, select the checkbox next to the files you want to restore.
  • Click the Restore button and the file will be restored to its original location in the site.
restoring-file

How to Delete Files Permanently from the Recycle Bin?

  • If the files remain in the Second-stage recycle bin, select the files you want to permanently delete.
  • Click the Delete button to delete the files permanently.
permanent-deleting

Automate Recycle Bin Management

Automating recycle bin management simplifies digital maintenance by making tasks like purging outdated files effortlessly. This not only saves time but also keeps your digital space organized and optimized for performance.

Retention Policy

Implementing a retention policy is essential for managing the documents lifecycle. It ensures that important files are not accidentally deleted or permanently removed too soon, while also automating the clean-up of outdated files.

  • Navigate to the Retention policies section in the Microsoft Purview compliance portal.
  • Click New Retention Policy, give name, policy type, and location as SharePoint and OneDrive, choose the retention period based on your needs.
  • Click submit button. It’ll take up to one week to apply this policy to the specified locations.
retention-policy

Unlock actionable insights for effectively managing file and folder activities across SharePoint and OneDrive with AdminDroid!

  • Identify potential risks by tracking the permanent deletion of SharePoint files via scripts, user-initiated deletions of OneDrive files, and deletions of folders across both platforms.
  • This section will provide you with reports that track File Deletions, File Restorations, File Version Changes, Folder Deletions, and Folder Restorations.
ad-folder-deletion

How to prevent unauthorized file deletions in M365?

How to prevent unauthorized file deletions in M365? +

Unauthorized file deletions may occur due to human error, malicious intent, or compromised accounts. By implementing measures to prevent unauthorized file deletion, you can safeguard your organization's valuable data and maintain control over document integrity.

Audit File Access using Purview Compliance Portal

Regularly auditing file access is essential for preventing unauthorized file deletion by ensuring only relevant users have appropriate permissions.

  • To audit who accessed the files, navigate to Audit section.
  • Start a new search for Accessed file activity with desired 'Start and End' date range.
file-accessed-audit-search

Implement Document Library Access Control

With the details from the audit search, implement the appropriate access control and permissions. Remember to break inheritance before making any changes to users' permissions, and ensure that you periodically review custom permissions granted to document libraries.

  • Navigate to Permissions for this document library under Library Settings»More library settings in the desired SharePoint site.
  • Select users and modify or remove their permissions using the Edit/Remove User Permissions options.
access-control

Implement Site-Level Custom Permissions

Assign custom permission levels to desired site visitors and members based on their requirements and role scope to avoid unauthorized deletions.

  • To add a custom permission level, go to Site settings»Site Permissions»Permission levels in the desired SharePoint site.
  • Select Add a Permission Level, and choose permissions except Delete items and Delete versions.
custom-non-delete-permission-spo

Limit external sharing

Limit external sharing to users belonging to pre-defined, trusted domains and require all external users accessing shared content to undergo sign-in verification.

  • From the SharePoint Admin center, go to Policies»Sharing and set content can be shared with as New and existing guests
  • In more external sharing settings, select Limit external sharing by domain.
  • Hit Add domains»Allow only specific domains, add the ones that need to be allowed, and click save.
exter-share-spo

Allowing sharing with specific domains and limiting external sharing enhances data security, ensuring content is only shared with trusted external parties.

Gain immediate access to pre-built reports, available for viewing anytime and exportable in various formats with just a few clicks!

  • Admins can view the SharePoint file access history of a specific user by filtering the data.
  • Use the built-in charts available in the report to gain insights on top accessed files, users who access files frequently, and more.
ad-file-acc-activities

How to receive real-time alerts for file deletions in SharePoint?

How to receive real-time alerts for file deletions in SharePoint? +

Imagine an audit is underway at your company, with all critical financial records stored in SharePoint. During this crucial time, if an important financial report is accidentally deleted and isn't promptly discovered, the audit process could be delayed. This could potentially lead to compliance violations and financial issues. Implementing real-time alerts for file deletions are essential for quickly detecting and addressing such incidents, to avoid data loss and ensure smooth business operations.

Using SharePoint Automated Rules

  • Navigate to the SharePoint document library for which you want to set up file deletion alerts.
  • Click on Automate in the toolbar and select Rules»Create a rule»A file is deleted.
  • Provide the email address to which you wish to receive notification upon file deletions, and then click Create.
spo-auto-alert

Using SharePoint Alerts

  • From the SharePoint site's document library/list, click on the ... (ellipsis) in the toolbar, and then click Alert Me.
  • In the dialog box, select E-mail for the Delivery Method.
  • Specify the Change Type as Items are deleted, and for Send Alerts for These Changes, select Anything changes.
  • Choose Send notification immediately on When to Send Alerts to receive alerts as soon as changes occur.
  • Click OK to activate the alert.
spo-alert

Using Microsoft Defender

  • Navigate to the Alert policy section in the Microsoft Defender portal and click New Alert Policy.
  • Enter Name, Description, Severity, Category, and set Activity as Deleted file.
  • Then set the alert frequency and select Email Recipients to notify.
  • Hit Submit to create the alert.
defender-alert

Surpass your Microsoft 365 alerting system! Achieve advanced and more effective file deletion monitoring with AdminDroid Alerts!

Even better, AdminDroid's Alert feature lets you create alert policies directly from the report with just two clicks.

Quick steps to set up AdminDroid alerts!
  • Create Alert Policies: Simply click the bell icon on any report page to set up alert policies.
  • Fine-Tune Alerts: Use the alert preview console to tweak policies and set thresholds easily.
  • Manage Alerts Efficiently: Edit settings and update alert status to open, closed, or investigating in the Alerts section.
ad-alert-bell
Track and manage alerts with ease!
  • Prebuilt Alert Policies: Take advantage of pre-built policies to monitor unusual amounts of file deletions.
  • Alerts Dashboard: Monitor all alerts in one centralized dashboard for quick insights.
  • Alerts Reports: Access detailed reports that track all alert activities for comprehensive monitoring.
alert-section

AdminDroid makes it easy to enhance your file deletion monitoring beyond the native capabilities of Microsoft 365.

Why do I need to find who deleted the files from Microsoft 365?

Why do I need to find who deleted the files from Microsoft 365? +

Understanding who deleted files from Microsoft 365 is crucial for several reasons. Whether it's to maintain data integrity, enforce security protocols, or conduct investigations into unauthorized access, identifying the responsible user provides valuable insights for effective governance and risk management.

  • SecurityMonitoring file deletions can help detect and respond to potential security threats or unauthorized access. This is especially important if files are deleted by an account that shouldn't have had access.
  • Compliance and Auditing Organizations often need to comply with data protection regulations and internal policies. Purview logs showing who deleted files can provide evidence of compliance or highlight areas that needs improvement.
  • Data Loss Prevention Understanding the context and reasons behind file deletions allows you to create and enforce better data protection policies to prevent similar incidents in the future.
  • Recovery and Restoration Knowing which file is deleted can help you quickly identify and restore the file from the recycle bin or backup sources if a file is deleted accidentally.
+

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!