i have not tried the below script will it give the output what i needed
CLS; Write-Host "Searching Office 365 Audit Records to find auto-expired group deletions"
$StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date)
$PolicySoftDeletes = 0; $HardDeletes = 0; $UserSoftDeletes = 0
$Records = (Search-UnifiedAuditLog -Operations "Delete Group" -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)
If ($Records.Count -eq 0) {
Write-Host "No audit records for group deletions found." }
Else {
Write-Host "Processing" $Records.Count "team deletion audit records..."
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
# Scan each audit record to extract information
ForEach ($Rec in $Records) {
$AuditData = ConvertFrom-Json $Rec.Auditdata
$User = $AuditData.UserId.Split("_")[0]
Foreach ($Prop in $AuditData.ExtendedProperties) { If ($Prop.Name -eq "targetName") { $GroupName = $Prop.Value }}
Switch ($User)
{
"Certificate" { # Hard delete of a group
$HardDeletes++
$Reason = "Group permanently removed"
$User = $User + " (System Process)" }
"ServicePrincipal" { #Soft delete - expiration policy
$PolicySoftDeletes++
$Reason = "Group removed by expiration policy"
$User = $User + " (System Process)" }
default { #Regular delete by a user
$UserSoftDeletes++
$Reason = "User deleted group" }
}
$ReportLine = [PSCustomObject] @{
TimeStamp = Get-Date($AuditData.CreationTime) -format g
User = $User
Group = $GroupName
Reason = $Reason
Action = $AuditData.Operation
Status = $AuditData.ResultStatus }
$Report.Add($ReportLine) }
}
Cls
Write-Host "All done - Group deletion records for the last 90 days"
Write-Host "User deletions:" $UserSoftDeletes
Write-Host "Policy deletions:" $PolicySoftDeletes
Write-Host "Group hard deletes:" $HardDeletes
Write-Host "----------------------"
$Report | Sort Group, Reason -Unique | Format-Table Timestamp, Group, Reason, User -AutoSize