🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Find Deleted User Accounts in Microsoft 365

Admins face significant challenges in handling Microsoft 365 user deletions, resulting in poor license management, unauthorized access, and potential data loss. Thus, properly identifying and managing the deleted accounts is essential for maintaining organizational security and efficiency. So, take control today! Learn how to monitor and manage deleted users in Microsoft Entra ID.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Admin Center

Microsoft 365 Permission Required
Global Admin, Global Reader or User Admin.
  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Deleted Users.
  • Here, you will get the list of deleted users in your organization.
  • Now, you can download the Microsoft 365 deleted users report in CSV format using the 'Export deleted users' option.
Using Microsoft 365 Admin Center

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Global Admin, Global Reader or User Admin.
  • Login to the Microsoft Entra admin center.
  • Navigate to Deleted Users through Identity»Users.
  • Here, you will get information like deleted user type, permanent deletion time, object ID, etc.
  • However, you don't have the option to export the Entra ID deleted users report here.
Using Microsoft Entra Admin Center

Using PowerShell Cmdlets

Microsoft 365 Permission Required
Global Admin, Global Reader or User Admin.
  • Connect to Microsoft 365 using Graph PowerShell.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph
  • Run the below cmdlet to get Microsoft Entra ID deleted users report.
  • Windows PowerShell Windows PowerShell 
     Get-MgDirectoryDeletedItemAsUser
Using PowerShell Cmdlets
As the PowerShell cmdlet provides only limited information, monitoring deleted users through PowerShell becomes challenging for Microsoft 365 admins.
AdminDroid Microsoft 365 User Reporting Tool

Master Microsoft 365 security by tracking deleted user accounts like a pro!

AdminDroid Microsoft 365 user monitoring reports serves as a comprehensive solution for Microsoft 365 admins, enabling effortless identification and management of deleted users in Microsoft 365 without any complexity.

Effective Monitoring of Risky Sign-ins

Identify and remove users with Azure AD risky sign-ins to maintain the security of sensitive data in your Microsoft 365 organization.

Automated Report Generation

AdminDroid's scheduling automates Entra ID deleted users report that facilitates daily tracking, making it easier to audit consistently.

Setup Alerts on Deletion of Licensed Users

Stay informed and maintain control over your Microsoft 365 environment by setting up alerts for the deletion of licensed users.

Regain Licenses by Deleting Disabled Users

Identify and delete Microsoft 365 disabled users with licenses to automatically recover unused licenses and avoid unwanted resource usage.

Audit External User Deletions in M365

Utilizing AdminDroid's Deleted External Users report allows you to easily audit and verify the deletion of external users, ensuring they no longer have access to sensitive information.

Efficient Inactive User Management.

Inactive users in Microsoft 365 need to be monitored closely as their accounts could still access sensitive information. Therefore, promptly deleting these users is essential to maintaining security.

Therefore, the AdminDroid Microsoft 365 reporting and auditing tool acts as a crucial mechanism for spotlighting deleted users to avoid any unusual or suspicious activities that might cause potential security risks in the Microsoft 365 environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

If a Microsoft 365 user is accidentally deleted, you can restore them before permanent removal by tracking object deletions in Entra ID.

Before deleting the account, review the SharePoint Online file activity to ensure that no critical data has been deleted or downloaded by the user, thereby preventing any data loss.

Automate Microsoft 365 user offboarding process with lifecycle workflows to handle critical tasks like retrieving sensitive data, reassigning licenses, etc.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with Deleted Users in Microsoft 365.

Error The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when the required Microsoft Graph PowerShell module is not installed.

Fix Run the below cmdlet for installing Microsoft Graph PowerShell module. 
Install-Module Microsoft.Graph

Error Insufficient privileges to complete the operation.

This error occurs when attempting to operate through the Mg Graph cmdlet without the necessary permissions.

Fix Connect to the Microsoft Graph PowerShell module with the "User.ReadWrite.All" scope. 
Connect-MgGraph -scopes User.ReadWrite.All

Error Get-MgUser : One or more errors occurred.

This error typically occurs when you have multiple versions of the Mg Graph PowerShell module installed.

Fix Run the below cmdlet to identify the versions of Mg Graph module and delete the unwanted versions. 
Get-Module -Name Microsoft.Graph -ListAvailable 
Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion <Version_To_Be_Uninstalled> -Force

Error You do not have access to this data. Please contact your global administrator to get access.

This error occurs when you try to access deleted users in Microsoft 365 without necessary admin permission.

Fix Please ensure that you possess one of the necessary administrative permissions listed below.
Global Admin, Global Reader or User Admin

Error Remove-MgUser : Resource '<userId>' does not exist or one of its queried reference-property objects are not present.

This error occurs when you try to delete a user with a wrong userId.

Fix Please ensure that you have given a valid user Id.
Azure AD
Frequently Asked Questions

Monitor Deleted User Accounts and Optimize Licenses in Microsoft 365

How to delete a user in Microsoft 365?
How to track who deleted a user account in Microsoft 365?
Can deleted user accounts be restored in Microsoft 365?
Why it is important to track deleted users in Microsoft 365?
What are the best practices for user offboarding in Microsoft 365?

1. How to delete a user in Microsoft 365?

There are several scenarios where you might need to delete a user account, such as when an employee leaves the company or when a guest user completes their project. Properly removing these accounts helps to protect sensitive information and manage subscription costs effectively.

You can delete a user using the below native methods in Microsoft 365.

Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Select the desired user and click "Delete User" at the top banner of the Active Users page.
  • Then in the pop-up menu, you have the following option before deleting a user.
    • Removing email aliases.
    • Removing delegated permissions to the mailbox.
    • Giving another user access to their OneDrive files for 30 days.
    • Giving another user their email.
  • After selecting the desired option, click "Delete User".
deleting-user-right-pane-details-admin-center

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Users»All Users.
  • Select the desired user and click "Delete" at the top banner of the All Users page.
deleting-user-in-entra-admin-center

We can also permanently delete a user in Microsoft 365 to remove all the associated data and accesses. Follow the below steps to remove a user permanently.

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Users»All Users.
  • Select the desired user and click "Delete Permanently" at the top banner of the Deleted Users page.

Using Microsoft PowerShell

Run the below cmdlet to delete a user in Microsoft 365.

Remove-MgUser -UserId "userId"

Unfortunately, there is no dedicated way to audit permanently removed users using Microsoft 365 native methods.

However, with the help of AdminDroid's permanently deleted users report, you can effortlessly monitor the users who have been deleted permanently from Microsoft 365 with just a few clicks.

  • This report helps you observe details like permanent deletion time, permanently deleted user, who deleted the user, etc.
  • Auditing permanently deleted users helps in identifying unauthorized deletions and recovering critical data if needed.
permanently-deleted-users-ad

2. How to track who deleted a user account in Microsoft 365?

Knowing who deleted a user account can be essential for security, auditing, and compliance purposes.

Tracking who deleted a user in Microsoft 365 can be done by the following methods.

Using Microsoft Purview Compliance portal

  • Login to the Microsoft Purview Compliance portal.
  • Navigate to the "Audit" under the "Solutions" section.
  • Choose "Deleted User" under Activities-friendly names and click Search.
  • Click on the audit log after the search has been completed. Now, you can export the audit logs to CSV file using the "Export" option.
audit-deleted-users-microsoft-purview-portal

Note: Audit logs in Microsoft Purview retains data for up to 180 days.

However, the data exported from the compliance audit log is not classified properly and is difficult to analyze, especially when dealing with large data.

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Monitoring & health»Audit Logs.
  • Select "Delete User" under Activity filter.
  • Specify the date range and click on "Download".
audit-deleted-users-microsoft-entra-admin-center

Once downloaded, you can check the deleted users report with the details, such as user who performed deletion, deletion time, deleted user, etc.

Note: Microsoft Entra retains the audit data only for 30 days.

Tracking deleted users in Microsoft 365 audit logs will be time consuming and won't provide a clear picture about the activity.

Using Admindroid’s Audit Deleted Users report, you can effortlessly track who deleted a user in Microsoft 365.

  • Gain comprehensive insights on Azure AD deleted users within few clicks.
  • This report shows the list of user deletion events in the organization with informations like deletion time, deleted user, who deleted the user, etc.
audit-deleted-user-admindroid

3. Can deleted user accounts be restored in Microsoft 365?

Deleted user accounts in Microsoft 365 can be restored, depending on the retention period. By default, when a user account is deleted, it enters a "soft deleted" state for 30 days. During this time, admins can restore the deleted user account and its associated data.

Restoring a deleted user in Microsoft 365 can be done by the following methods.

Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Deleted Users.
  • Select the desired user and click "Restore User" at the top banner of the Deleted Users page.
  • Then in the pop-up menu, you have the option to create a new password for the user or set it to auto-generation before clicking "Restore".
restore-delete-user-in-microsoft-admin-center

Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Users»Deleted Users.
  • Select the desired user and click "Restore Users" at the top banner of the Deleted Users page.

You can use "Bulk restore" option to restore multiple users at the same time.

  • Click "Bulk restore" at the top banner of Deleted Users page.
  • Upload the csv file of list of deleted users to be restored and click "Submit".
restoring-deleted-user-in-microsoft-entra-ad

Using Microsoft PowerShell

Run the below cmdlet to restore a user in Microsoft 365.

Restore-MgDirectoryDeletedItem -DirectoryObbjectId "objectId"

4. Why it is important to track deleted users in Microsoft 365?

If a user account is deleted without proper authorization or documentation, it can lead to data loss, security breaches, or disruptions in workflow. Below are a few scenarios that underscore the importance of tracking deleted users in Microsoft 365.

  • Security: Deleted users may still have some important data and permissions that could be exploited if not properly managed. Tracking deleted users helps to prevent these potential security risks.
  • Compliance: Many organizations have data retention policies and privacy regulations. Tracking deleted users ensures compliance by confirming proper management of sensitive data from deleted accounts.
  • Data Loss Prevention: Deleted users may have owned or had access to critical documents, emails, or other data. Tracking user deletion allows organizations to identify and safeguard important information before it is lost or becomes inaccessible.
  • License Management: Tracking deleted users helps ensure that licenses are freed up for reassignment and organizational resources are utilized effectively.

Overall, monitoring deleted users in Microsoft 365 is an integral part of maintaining security, compliance, and efficient resource management within an organization's IT infrastructure.

5. What are the best practices for user offboarding in Microsoft 365?

In Microsoft 365, employee offboarding involves more than just deleting a user account. Following a structured procedure helps protect sensitive information and supports a seamless transition.

Here is a step-by-step procedure for user offboarding in Microsoft 365.

1. Disabling user sign-In

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Click on the user you want to disable and choose "Block sign-in".

2. Removing licenses

  • Login to the Microsoft 365 admin center.
  • Navigate to Billing»Licenses. Select the license you want to remove.
  • Then, select the required users and choose "Unassign licenses".

3. Removing group memberships

  • Login to the Microsoft Entra admin center.
  • Navigate to Users»All Users.
  • Click on the respective user > Select Groups tab > Select all the groups available > Choose "Remove Memberships".

4. Converting user mailbox to shared mailbox

  • Login to the Exchange admin center.
  • Navigate to Recipients»Mailboxes.
  • Choose the user’s mailbox and and click ‘"convert to shared mailbox" at the top banner of the mailboxes page.

5. Saving mailbox content

  • Login to the Exchange admin center.
  • Navigate to Recipients»Mailboxes.
  • Select respective user’s mailbox > "Others" tab > Manage litigation hold > Configure "Hold duration (days)" > Save.

6. Deleting user account

  • Login to the Microsoft 365 admin center.
  • Navigate to Users»Active Users.
  • Select the respective user and click "Delete".

Ensure Comprehensive Offboarding with AdminDroid's Role Delegation.

AdminDroid’s delegation allows you to create a designated role to conduct a thorough review after each M365 user offboarding process.

In the Settings»Roles page of AdminDroid portal, create a "New Role" and add the below custom filter by User properties.

Is Deleted equals yes

deleted-user-delegation-role-admindroid

  • With this role assigned, AdminDroid reports will be accessible exclusively for deleted users. This helps admins monitor the previous activities of deleted users.
  • It also tracks activities performed during the offboarding process, such as permission removals, membership retrievals, license revoking activities etc., by auditing all activities across M365.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Find Deleted User Accounts in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo