🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Find Deleted User Accounts in Microsoft 365

Admins face significant challenges in handling Microsoft 365 user deletions, resulting in poor license management, unauthorized access, and potential data loss. Thus, properly identifying and managing the deleted accounts is essential for maintaining organizational security and efficiency. So, take control today! Learn how to monitor and manage deleted users in Microsoft Entra ID.

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Global Reader or User Admin.

Option 1 Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Deleted Users.
  • Here, you will get the list of deleted users in your organization.
  • Now, you can download the Microsoft 365 deleted users report in CSV format using the 'Export deleted users' option.
Using Microsoft 365 Admin Center

Option 2 Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Deleted Users through Identity»Users.
  • Here, you will get information like deleted user type, permanent deletion time, object ID, etc.
  • However, you don't have the option to export the Entra ID deleted users report here.
Using Microsoft Entra Admin Center

Option 3 Using PowerShell Cmdlets

  • Connect to Microsoft 365 using Graph PowerShell.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph
  • Run the below cmdlet to get Microsoft Entra ID deleted users report.
  • Windows PowerShell Windows PowerShell 
     Get-MgDirectoryDeletedItemAsUser
Using PowerShell Cmdlets
As the PowerShell cmdlet provides only limited information, monitoring deleted users through PowerShell becomes challenging for Microsoft 365 admins.
AdminDroid Solution
This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Free
ad
  • Login to the AdminDroid Office 365 reporter.
  • Navigate to Recently Deleted Users report under Reports»Azure AD»User Reports.
Using AdminDroid

Export deleted user report in Microsoft 365 with their deletion time, assigned licenses, and other information in a single click.

deleted-count-by-license-status-admindroid
  • In addition, the report includes built-in graphs that shows the number of deleted users with assigned licenses using visually appealing charts.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Proactively manage deleted users in Microsoft 365!

Don't let unused licenses pile up! Manage Microsoft 365 deleted users efficiently by revoking licenses assigned to them with the help of AdminDroid.

Witness the report in action using the

Live Demo

Azure ADMonitor Deleted User Accounts and Optimize Licenses in Microsoft 365

Showing 1 of 5
How to delete a user in Microsoft 365? How to track who deleted a user account in Microsoft 365? Can deleted user accounts be restored in Microsoft 365? Why it is important to track deleted users in Microsoft 365? What are the best practices for user offboarding in Microsoft 365?

How to delete a user in Microsoft 365?

There are several scenarios where you might need to delete a user account, such as when an employee leaves the company or when a guest user completes their project. Properly removing these accounts helps to protect sensitive information and manage subscription costs effectively.

You can delete a user using the below native methods in Microsoft 365.

Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Select the desired user and click "Delete User" at the top banner of the Active Users page.
  • Then in the pop-up menu, you have the following option before deleting a user.
    • Removing email aliases.
    • Removing delegated permissions to the mailbox.
    • Giving another user access to their OneDrive files for 30 days.
    • Giving another user their email.
  • After selecting the desired option, click "Delete User".
deleting-user-right-pane-details-admin-center

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Users»All Users.
  • Select the desired user and click "Delete" at the top banner of the All Users page.
deleting-user-in-entra-admin-center

We can also permanently delete a user in Microsoft 365 to remove all the associated data and accesses. Follow the below steps to remove a user permanently.

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Users»All Users.
  • Select the desired user and click "Delete Permanently" at the top banner of the Deleted Users page.

Using Microsoft PowerShell

Run the below cmdlet to delete a user in Microsoft 365.

Remove-MgUser -UserId "userId"

Unfortunately, there is no dedicated way to audit permanently removed users using Microsoft 365 native methods.

However, with the help of AdminDroid's permanently deleted users report, you can effortlessly monitor the users who have been deleted permanently from Microsoft 365 with just a few clicks.

  • This report helps you observe details like permanent deletion time, permanently deleted user, who deleted the user, etc.
  • Auditing permanently deleted users helps in identifying unauthorized deletions and recovering critical data if needed.
permanently-deleted-users-ad

How to track who deleted a user account in Microsoft 365?

Knowing who deleted a user account can be essential for security, auditing, and compliance purposes.

Tracking who deleted a user in Microsoft 365 can be done by the following methods.

Using Microsoft Purview Compliance portal

  • Login to the Microsoft Purview Compliance portal.
  • Navigate to the "Audit" under the "Solutions" section.
  • Choose "Deleted User" under Activities-friendly names and click Search.
  • Click on the audit log after the search has been completed. Now, you can export the audit logs to CSV file using the "Export" option.
audit-deleted-users-microsoft-purview-portal

Note: Audit logs in Microsoft Purview retains data for up to 180 days.

However, the data exported from the compliance audit log is not classified properly and is difficult to analyze, especially when dealing with large data.

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Monitoring & health»Audit Logs.
  • Select "Delete User" under Activity filter.
  • Specify the date range and click on "Download".
audit-deleted-users-microsoft-entra-admin-center

Once downloaded, you can check the deleted users report with the details, such as user who performed deletion, deletion time, deleted user, etc.

Note: Microsoft Entra retains the audit data only for 30 days.

Tracking deleted users in Microsoft 365 audit logs will be time consuming and won't provide a clear picture about the activity.

Using Admindroid’s Audit Deleted Users report, you can effortlessly track who deleted a user in Microsoft 365.

  • Gain comprehensive insights on Azure AD deleted users within few clicks.
  • This report shows the list of user deletion events in the organization with informations like deletion time, deleted user, who deleted the user, etc.
audit-deleted-user-admindroid

Can deleted user accounts be restored in Microsoft 365?

Deleted user accounts in Microsoft 365 can be restored, depending on the retention period. By default, when a user account is deleted, it enters a "soft deleted" state for 30 days. During this time, admins can restore the deleted user account and its associated data.

Restoring a deleted user in Microsoft 365 can be done by the following methods.

Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Deleted Users.
  • Select the desired user and click "Restore User" at the top banner of the Deleted Users page.
  • Then in the pop-up menu, you have the option to create a new password for the user or set it to auto-generation before clicking "Restore".
restore-delete-user-in-microsoft-admin-center

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Users»Deleted Users.
  • Select the desired user and click "Restore Users" at the top banner of the Deleted Users page.

You can use "Bulk restore" option to restore multiple users at the same time.

  • Click "Bulk restore" at the top banner of Deleted Users page.
  • Upload the csv file of list of deleted users to be restored and click "Submit".
restoring-deleted-user-in-microsoft-entra-ad

Using Microsoft PowerShell

Run the below cmdlet to restore a user in Microsoft 365.

Restore-MgDirectoryDeletedItem -DirectoryObbjectId "objectId"

Why it is important to track deleted users in Microsoft 365?

If a user account is deleted without proper authorization or documentation, it can lead to data loss, security breaches, or disruptions in workflow. Below are a few scenarios that underscore the importance of tracking deleted users in Microsoft 365.

  • Security: Deleted users may still have some important data and permissions that could be exploited if not properly managed. Tracking deleted users helps to prevent these potential security risks.
  • Compliance: Many organizations have data retention policies and privacy regulations. Tracking deleted users ensures compliance by confirming proper management of sensitive data from deleted accounts.
  • Data Loss Prevention: Deleted users may have owned or had access to critical documents, emails, or other data. Tracking user deletion allows organizations to identify and safeguard important information before it is lost or becomes inaccessible.
  • License Management: Tracking deleted users helps ensure that licenses are freed up for reassignment and organizational resources are utilized effectively.

Overall, monitoring deleted users in Microsoft 365 is an integral part of maintaining security, compliance, and efficient resource management within an organization's IT infrastructure.

What are the best practices for user offboarding in Microsoft 365?

In Microsoft 365, employee offboarding involves more than just deleting a user account. Following a structured procedure helps protect sensitive information and supports a seamless transition.

Here is a step-by-step procedure for user offboarding in Microsoft 365.

1. Disabling user sign-In

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Click on the user you want to disable and choose "Block sign-in".

2. Removing licenses

  • Login to the Microsoft 365 admin center.
  • Navigate to Billing»Licenses. Select the license you want to remove.
  • Then, select the required users and choose "Unassign licenses".

3. Removing group memberships

  • Login to the Microsoft Entra admin center.
  • Navigate to Users»All Users.
  • Click on the respective user > Select Groups tab > Select all the groups available > Choose "Remove Memberships".

4. Converting user mailbox to shared mailbox

  • Login to the Exchange admin center.
  • Navigate to Recipients»Mailboxes.
  • Choose the user’s mailbox and and click ‘"convert to shared mailbox" at the top banner of the mailboxes page.

5. Saving mailbox content

  • Login to the Exchange admin center.
  • Navigate to Recipients»Mailboxes.
  • Select respective user’s mailbox > "Others" tab > Manage litigation hold > Configure "Hold duration (days)" > Save.

6. Deleting user account

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Select the respective user and click "Delete".

Ensure Comprehensive Offboarding with AdminDroid's Role Delegation.

AdminDroid’s delegation allows you to create a designated role to conduct a thorough review after each M365 user offboarding process.

In the Settings»Roles page of AdminDroid portal, create a "New Role" and add the below custom filter by User properties.

Is Deleted equals yes

deleted-user-delegation-role-admindroid

  • With this role assigned, AdminDroid reports will be accessible exclusively for deleted users. This helps admins monitor the previous activities of deleted users.
  • It also tracks activities performed during the offboarding process, such as permission removals, membership retrievals, license revoking activities etc., by auditing all activities across M365.

AdminDroid Microsoft 365 User Reporting ToolMaster Microsoft 365 security by tracking deleted user accounts like a pro!

AdminDroid Microsoft 365 user monitoring reports serves as a comprehensive solution for Microsoft 365 admins, enabling effortless identification and management of deleted users in Microsoft 365 without any complexity.

Why should you utilize AdminDroid Microsoft 365 reporter for tracking deleted users?

The Recently Deleted Users report provides an overview of deleted users within your Microsoft 365 environment, helping you make informed decisions about actions such as retrieving access or removing licenses to prevent resource wastage.

A Quick Summary

Effective Monitoring of Risky Sign-ins

Identify and remove users with Azure AD risky sign-ins to maintain the security of sensitive data in your Microsoft 365 organization.

Automated Report Generation

AdminDroid's scheduling automates Entra ID deleted users report that facilitates daily tracking, making it easier to audit consistently.

Setup Alerts on Deletion of Licensed Users

Stay informed and maintain control over your Microsoft 365 environment by setting up alerts for the deletion of licensed users.

Regain Licenses by Deleting Disabled Users

Identify and delete Microsoft 365 disabled users with licenses to automatically recover unused licenses and avoid unwanted resource usage.

Audit External User Deletions in M365

Utilizing AdminDroid's Deleted External Users report allows you to easily audit and verify the deletion of external users, ensuring they no longer have access to sensitive information.

Efficient Inactive User Management.

Inactive users in Microsoft 365 need to be monitored closely as their accounts could still access sensitive information. Therefore, promptly deleting these users is essential to maintaining security.

Therefore, the AdminDroid Microsoft 365 reporting and auditing tool acts as a crucial mechanism for spotlighting deleted users to avoid any unusual or suspicious activities that might cause potential security risks in the Microsoft 365 environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps for Deleted Users in Microsoft 365

The following are possible errors and troubleshooting hints while dealing with Deleted Users in Microsoft 365.

Error: The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when the required Microsoft Graph PowerShell module is not installed.

Troubleshooting hint :Run the below cmdlet for installing Microsoft Graph PowerShell module. 

Install-Module Microsoft.Graph

Error: Insufficient privileges to complete the operation.

This error occurs when attempting to operate through the Mg Graph cmdlet without the necessary permissions.

Troubleshooting hint :Connect to the Microsoft Graph PowerShell module with the "User.ReadWrite.All" scope. 

Connect-MgGraph -scopes User.ReadWrite.All

Error: Get-MgUser : One or more errors occurred.

This error typically occurs when you have multiple versions of the Mg Graph PowerShell module installed.

Troubleshooting hint :Run the below cmdlet to identify the versions of Mg Graph module and delete the unwanted versions. 

Get-Module -Name Microsoft.Graph -ListAvailable 
Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion <Version_To_Be_Uninstalled> -Force

Error: You do not have access to this data. Please contact your global administrator to get access.

This error occurs when you try to access deleted users in Microsoft 365 without necessary admin permission.

Troubleshooting hint :Please ensure that you possess one of the necessary administrative permissions listed below.

Global Admin, Global Reader or User Admin

Error: Remove-MgUser : Resource '<userId>' does not exist or one of its queried reference-property objects are not present.

This error occurs when you try to delete a user with a wrong userId.

Troubleshooting hint :Please ensure that you have given a valid user Id.