How to track who deleted a user account in Microsoft 365?
+
Knowing who deleted a user account can be essential for security, auditing, and compliance purposes.
Tracking who deleted a user in Microsoft 365 can be done by the following methods.
- Login to the Microsoft Purview Compliance portal.
- Navigate to the "Audit" under the "Solutions" section.
- Choose "Deleted User" under Activities-friendly names and click Search.
- Click on the audit log after the search has been completed. Now, you can export the audit logs to CSV file using the "Export" option.
Note: Audit logs in Microsoft Purview retains data for up to 180 days.
However, the data exported from the compliance audit log is not classified properly and is difficult to analyze, especially when dealing with large data.
- Login to the Microsoft Entra admin center.
- Navigate to Identity»Monitoring & health»Audit Logs.
- Select "Delete User" under Activity filter.
- Specify the date range and click on "Download".
Once downloaded, you can check the deleted users report with the details, such as user who performed deletion, deletion time, deleted user, etc.
Note: Microsoft Entra retains the audit data only for 30 days.
Tracking deleted users in Microsoft 365 audit logs will be time consuming and won't provide a clear picture about the activity.
Using Admindroid’s Audit Deleted Users report, you can effortlessly track who deleted a user in Microsoft 365.
- Gain comprehensive insights on Azure AD deleted users within few clicks.
- This report shows the list of user deletion events in the organization with informations like deletion time, deleted user, who deleted the user, etc.