How to check who disabled a user in Microsoft 365?
+
Monitoring disabled user actions and identifying who disabled it is crucial for maintaining security within Microsoft 365 environment. Finding the user who is responsible for the change allows you to promptly address any unauthorized actions and ensure proper access controls in your organization.
To identify who disabled a user, you can simply access Office 365 audit logs within the Microsoft Purview portal. However, it's crucial to ensure that audit logging is enabled for your organization to effectively monitor both user and admin activities.
Once auditing is enabled, you can initiate audit log search on the Purview Portal using the steps below.
- Login to the Microsoft 365 Purview portal.
- Navigate to the âAudit Pageâ under Solutions.
- Now, provide the Date range and select âAzure Active Directoryâ in the workload section. Then, click on "Search" to start the search.
- Once the search is completed, open the result and click on the Export button to initiate the export process.
- After the completion of the Export process, click on the download file that results.
- Open the downloaded file and apply a 'filter' to the âOperationâ column and search for Disable Account entries.
Once the filter has been applied, review the 'AuditData' column to check the details about a disabled Microsoft 365 user account. Also, check the 'UserId' column to identify who disabled the account.
Auditing the user disabling activities can be a time-consuming task as it involves several manual steps in native solution.
Using AdminDroid's Audit Sign-in Disabled Users report, you can easily monitor the events of sign-in blocked users and admins who disabled the user, along with precise timestamps indicating when a user was disabled.
- Moreover, the report includes built-in graphs that specifically show the number of disabling actions being performed by a specific user. For instance, you can easily identify a specific user with a high number of disabling activities.
- Additionally, if you wish to email these report, simply click the Email this report now button. This will enable you to email the reports instantly to your chosen recipients in preferred formats (HTML, PDF, CSV, XLS, XLXS, RAW).