How can I enable audit logs to find out who deleted a folder on my Azure VM?

kobulloc msft 45 Reputation points
2024-07-30T03:07:16.8+00:00

Note: Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.


A folder was deleted from a drive on my VM. How can I enable audit logs to find out who deleted the folder?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,025 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. kobulloc-MSFT 26,806 Reputation points Microsoft Employee Moderator
    2024-07-30T03:07:54.8066667+00:00

    Note: Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.


    To enable audit logs and identify the account that deleted a folder on your Azure VM, follow these steps:

    Configure Audit Policy in Group Policy Object (GPO):

    1. Open the GPO configuration page by running the command gpedit.msc.
    2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
    3. Double-click Audit object access to open the Properties window.
    4. Check the box for Define these policy settings
    5. Click both Success and Failure under Audit these attempts.
    6. Click Apply and OK.
    7. Open Command Prompt as an administrator and run the command gpupdate /force to apply the configuration.

    In the future if a file or folder is deleted, you can open Event Viewer -> Security Log and check for Event ID 4660 and 4663 to find the account that deleted the file/folder.

    References for additional options:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.