🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Find Who Deleted the Files from Microsoft 365

Have you ever found yourself in a risky situation where all your important documents or a considerable number of files just vanished from your OneDrive or SharePoint Library? Isn’t it frustrating? Even worse is not knowing who deleted them, leaving you helpless. This guide will help you identify all the users who deleted the files from Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High

Global Admin or any other privileged admin role.

Option 1 Using Microsoft Purview Compliance Portal

  • Navigate to the Audit section.
  • Select the Start and End date and time range.
  • Apply filter for the following operations in the Activities - friendly names field.

    Deleted file, Recycled file, Deleted file from recycle bin, Deleted file from second-stage recycle bin

  • Hit the Search button to initiate the search.
    m365-pur-audit
  • Once the search is completed, use the Export option to download the file deletion audit log report for offline access.
Using Microsoft Purview Compliance Portal

Option 2 Using Windows PowerShell

  • Connect to Exchange Online PowerShell, using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Execute the following cmdlet to identify the user who deleted the Microsoft 365 files.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Operations FileDeleted, FileRecycled, FileDeletedFirstStageRecycleBin, FileDeletedSecondStageRecycleBin | Format-Table -Property RecordType, CreationDate, UserIds, Operations
Using Windows PowerShell

Option 3 Using PowerShell Script

  • The cmdlet above detects deleted files in your Microsoft 365 environment, but it requires multiple filters and cmdlets to obtain specific results.
  • To simplify this process, we've written a PowerShell script that effortlessly exports file deletion activity reports from Microsoft 365.
  • The built-in filtering settings enable you to produce an audit report with more detail.
AuditFileDeletion.ps1
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access assigned by the Super Admin.

StepsUsing AdminDroid

ad
  • Login to the AdminDroid Office 365 portal.
  • Just hit 'Ctrl + Shift + F' and search for All File Deletions to access the report on file deletion events in your M365 environment.
  • You can also access the report by navigating to Audit»General»File/Folder Deletion Tracking»File Deletions.
Using AdminDroid

The report provides detailed information about the deleted files, including when they were deleted, the deleted users’ device details, the URL of the deleted item, and more.

donut-with-table-ad
  • Additionally, the built-in interactive charts will showcase trends in file deletion activities by users, by file extenstions, by deletion stages, and by machine IPs from where the deletions are performed.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Stay Ahead of File Deletions!

Prevent data loss and keep your organization's data secure by easily tracking file deletions in Microsoft 365 with AdminDroid!

Witness the report in action using the

Live Demo

SharePoint OnlineIdentify Potential Threats and Mitigate Risks by Uncovering Who Deleted the Files in M365

Showing 1 of 4
How to manage deleted files in recycle bin? How to prevent unauthorized file deletions in M365? How to receive real-time alerts for file deletions in SharePoint? Why do I need to find who deleted the files from Microsoft 365?

How to manage deleted files in recycle bin?

Accidental file deletions are common in collaborative workspaces. Fortunately, accessing the recycle bin simplifies file recovery, eliminating the need for complex data retrieval processes. This prevents permanent data loss caused by human error, ensuring smooth operations and maintaining data integrity. SharePoint's recycle bin offers a straightforward process for recovering deleted files, providing a safety net that supports ongoing productivity and secures essential information.

Understand the Recycle Bin Stages

In Microsoft 365, the recycle bin has two stages for managing deleted files, with a total retention period of 93 days across both stages:

  • First-stage recycle bin: When a file is deleted, it goes to the first stage recycle bin (site recycle bin), where it remains for 93 days.
  • Second-stage recycle bin: If a file is deleted from the first-stage recycle bin, it moves to the second-stage recycle bin (site collection recycle bin), ensuring that deleted files are retained for a maximum of 93 days, regardless of their location.

Manage Recycle Bins

Effective recycle bin management is essential for maintaining a clutter-free digital environment. This involves key operations such as accessing the recycle bin, restoring files to their original locations, and ensuring the permanent deletion of unnecessary files.

How to Access Files from the Recycle Bin?

  • From the desired SharePoint site, navigate to Settings»Site Contents»Recycle Bin. For OneDrive, you can easily find it from the main menu.
  • In either SharePoint Online or OneDrive's recycle bin, locate the Second-stage recycle bin link at the bottom.
recyclebin

How to Restore Files from the Recycle Bin?

  • From the site's recycle bin, select the checkbox next to the files you want to restore.
  • Click the Restore button and the file will be restored to its original location in the site.
restoring-file

How to Delete Files Permanently from the Recycle Bin?

  • If the files remain in the Second-stage recycle bin, select the files you want to permanently delete.
  • Click the Delete button to delete the files permanently.
permanent-deleting

Automate Recycle Bin Management

Automating recycle bin management simplifies digital maintenance by making tasks like purging outdated files effortlessly. This not only saves time but also keeps your digital space organized and optimized for performance.

Retention Policy

Implementing a retention policy is essential for managing the documents lifecycle. It ensures that important files are not accidentally deleted or permanently removed too soon, while also automating the clean-up of outdated files.

  • Navigate to the Retention policies section in the Microsoft Purview compliance portal.
  • Click New Retention Policy, give name, policy type, and location as SharePoint and OneDrive, choose the retention period based on your needs.
  • Click submit button. It’ll take up to one week to apply this policy to the specified locations.
retention-policy

Unlock actionable insights for effectively managing file and folder activities across SharePoint and OneDrive with AdminDroid!

  • Identify potential risks by tracking the permanent deletion of SharePoint files via scripts, user-initiated deletions of OneDrive files, and deletions of folders across both platforms.
  • This section will provide you with reports that track File Deletions, File Restorations, File Version Changes, Folder Deletions, and Folder Restorations.
ad-folder-deletion

How to prevent unauthorized file deletions in M365?

Unauthorized file deletions may occur due to human error, malicious intent, or compromised accounts. By implementing measures to prevent unauthorized file deletion, you can safeguard your organization's valuable data and maintain control over document integrity.

Audit File Access using Purview Compliance Portal

Regularly auditing file access is essential for preventing unauthorized file deletion by ensuring only relevant users have appropriate permissions.

  • To audit who accessed the files, navigate to Audit section.
  • Start a new search for Accessed file activity with desired 'Start and End' date range.
file-accessed-audit-search

Implement Document Library Access Control

With the details from the audit search, implement the appropriate access control and permissions. Remember to break inheritance before making any changes to users' permissions, and ensure that you periodically review custom permissions granted to document libraries.

  • Navigate to Permissions for this document library under Library Settings»More library settings in the desired SharePoint site.
  • Select users and modify or remove their permissions using the Edit/Remove User Permissions options.
access-control

Implement Site-Level Custom Permissions

Assign custom permission levels to desired site visitors and members based on their requirements and role scope to avoid unauthorized deletions.

  • To add a custom permission level, go to Site settings»Site Permissions»Permission levels in the desired SharePoint site.
  • Select Add a Permission Level, and choose permissions except Delete items and Delete versions.
custom-non-delete-permission-spo

Limit external sharing

Limit external sharing to users belonging to pre-defined, trusted domains and require all external users accessing shared content to undergo sign-in verification.

  • From the SharePoint Admin center, go to Policies»Sharing and set content can be shared with as New and existing guests
  • In more external sharing settings, select Limit external sharing by domain.
  • Hit Add domains»Allow only specific domains, add the ones that need to be allowed, and click save.
exter-share-spo

Allowing sharing with specific domains and limiting external sharing enhances data security, ensuring content is only shared with trusted external parties.

Gain immediate access to pre-built reports, available for viewing anytime and exportable in various formats with just a few clicks!

  • Admins can view the SharePoint file access history of a specific user by filtering the data.
  • Use the built-in charts available in the report to gain insights on top accessed files, users who access files frequently, and more.
ad-file-acc-activities

How to receive real-time alerts for file deletions in SharePoint?

Imagine an audit is underway at your company, with all critical financial records stored in SharePoint. During this crucial time, if an important financial report is accidentally deleted and isn't promptly discovered, the audit process could be delayed. This could potentially lead to compliance violations and financial issues. Implementing real-time alerts for file deletions are essential for quickly detecting and addressing such incidents, to avoid data loss and ensure smooth business operations.

Using SharePoint Automated Rules

  • Navigate to the SharePoint document library for which you want to set up file deletion alerts.
  • Click on Automate in the toolbar and select Rules»Create a rule»A file is deleted.
  • Provide the email address to which you wish to receive notification upon file deletions, and then click Create.
spo-auto-alert

Using SharePoint Alerts

  • From the SharePoint site's document library/list, click on the ... (ellipsis) in the toolbar, and then click Alert Me.
  • In the dialog box, select E-mail for the Delivery Method.
  • Specify the Change Type as Items are deleted, and for Send Alerts for These Changes, select Anything changes.
  • Choose Send notification immediately on When to Send Alerts to receive alerts as soon as changes occur.
  • Click OK to activate the alert.
spo-alert

Using Microsoft Defender

  • Navigate to the Alert policy section in the Microsoft Defender portal and click New Alert Policy.
  • Enter Name, Description, Severity, Category, and set Activity as Deleted file.
  • Then set the alert frequency and select Email Recipients to notify.
  • Hit Submit to create the alert.
defender-alert

Surpass your Microsoft 365 alerting system! Achieve advanced and more effective file deletion monitoring with AdminDroid Alerts!

Even better, AdminDroid's Alert feature lets you create alert policies directly from the report with just two clicks.

Quick steps to set up AdminDroid alerts!
  • Create Alert Policies: Simply click the bell icon on any report page to set up alert policies.
  • Fine-Tune Alerts: Use the alert preview console to tweak policies and set thresholds easily.
  • Manage Alerts Efficiently: Edit settings and update alert status to open, closed, or investigating in the Alerts section.
ad-alert-bell
Track and manage alerts with ease!
  • Prebuilt Alert Policies: Take advantage of pre-built policies to monitor unusual amounts of file deletions.
  • Alerts Dashboard: Monitor all alerts in one centralized dashboard for quick insights.
  • Alerts Reports: Access detailed reports that track all alert activities for comprehensive monitoring.
alert-section

AdminDroid makes it easy to enhance your file deletion monitoring beyond the native capabilities of Microsoft 365.

Why do I need to find who deleted the files from Microsoft 365?

Understanding who deleted files from Microsoft 365 is crucial for several reasons. Whether it's to maintain data integrity, enforce security protocols, or conduct investigations into unauthorized access, identifying the responsible user provides valuable insights for effective governance and risk management.

  • SecurityMonitoring file deletions can help detect and respond to potential security threats or unauthorized access. This is especially important if files are deleted by an account that shouldn't have had access.
  • Compliance and Auditing Organizations often need to comply with data protection regulations and internal policies. Purview logs showing who deleted files can provide evidence of compliance or highlight areas that needs improvement.
  • Data Loss Prevention Understanding the context and reasons behind file deletions allows you to create and enforce better data protection policies to prevent similar incidents in the future.
  • Recovery and Restoration Knowing which file is deleted can help you quickly identify and restore the file from the recycle bin or backup sources if a file is deleted accidentally.

AdminDroid SharePoint Online ReporterSimplify SharePoint security and compliance with AdminDroid's automated audit reports!

The AdminDroid’s SharePoint auditing tool is the ultimate solution for analyzing all SharePoint Online and OneDrive for Business activities. Our cutting-edge tool provides in-depth reports covering every aspect of Microsoft 365, empowering you to confidently make informed decisions. Moreover, you can easily delegate access permissions to authorized users, ensuring that your data is always safe and secure.

A Quick Summary

Robust Export Capabilities in 6 Popular File Formats!

Get the ability to easily export data on file deletions in six popular file formats (CSV, HTML, XLS, XLSX, PDF, and RAW), guaranteeing flexibility and ease of use while handling data.

Simplify SharePoint Online Folders and Pages Audit

Transform your SharePoint Online experience with AdminDroid's powerful analytics, providing both high-level and detailed Insights on SharePoint Online folders and pages.

File Safety and DLP Auditing in SharePoint Online

Audit both the SharePoint Online file activities and DLP actions, such as rule matches, rule undoes, etc., together under one roof. These reports are not just tables! Every report ramped up with AI-powered graphs.

Grant Precise Report Access with Granular Delegation!

Delegate admins using the built-in SharePoint Administrator role in AdminDroid to ensure they only access SharePoint information. This granular accessing streamlines SharePoint management without exposing other sensitive data.

Unveil the Impact of External Users

Zoom in on external user actions with the File/Folder Accessed by External Users report. Easily filter deletions with one click to see who deleted, what was deleted, and when it was deleted.

Schedule Reports at Your Convenience!

Schedule reports to run at your convenience, ensuring timely delivery of vital data like deleted file details directly to your inbox and local storage.

Overall, AdminDroid provides powerful features that empower you to efficiently track file deletion activities in Microsoft 365. You can also monitor all file sharing activities, files shared to external users, files shared by external users, file access, file version changing, and file restoration reports ensuring control over the users in your Office 365 environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps when Tracking File Deletion in Microsoft 365

The following are possible errors and troubleshooting hints when dealing with tracking file deletions.

Error: Search duration is too long. Please select a date range of less than 6 months.

This error will occur in the AuditLog search of Purview Compliance if the selected date and time range exceed the limit.

Troubleshooting hint :In Microsoft Purview Audit (Standard), logs can only be retained for a maximum of 180 days. So, you need to give a time range within this period.

Error: No Data is returned in the result of the Audit search.

This error will occur in both the PowerShell and Compliance Center AuditLog search if the Audit search is not enabled.

Troubleshooting hint :In Microsoft Purview Audit, you should enable Audit Search by clicking Start recording user and admin activity or if you’re using PowerShell then you need to enable it by using this cmdlet. 

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Error: Connect-ExchangeOnline: The term ‘Connect-ExchangeOnline’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error will occur when you don’t have the ExchangeOnline module installed in the PowerShell Environment.

Troubleshooting hint :Use the cmdlet below to install the ExchangeOnlineManagement module. 

Install-Module ExchangeOnlineManagement -Force

Error: This library inherits permissions from its parent.

This error will occur in the Permissions tab on the SharePoint site when you attempt to assign custom permission levels to users.

Troubleshooting hint :To resolve this error you need to stop inheritance permission by clicking the Stop Inheriting Permissions option near the top left corner.