Unified group and team site logs

Glenn Maxwell 10,146 Reputation points


One of my team site got deleted and it has been restored back. I want to check the logs who has deleted the team site or unified group. from the compliance search i am getting error. when i use the below syntax i dont see any log related to team site and unified group.

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-20) -Operations "Delete group" | export-csv c:\logs.csv

A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,791 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,228 questions
0 comments No comments
{count} votes

Accepted answer
  1. CaseyYang-MSFT 10,321 Reputation points

    Hi @Glenn Maxwell ,

    Per my test, you could check who deleted SharePoint Online site by Audit Log Search.

    Microsoft 365 admin center > Compliance > Audit > select delete site in Activities

    My test result:


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
  1. Glenn Maxwell 10,146 Reputation points

    i have not tried the below script will it give the output what i needed

    CLS; Write-Host "Searching Office 365 Audit Records to find auto-expired group deletions"
    $StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date) 
    $PolicySoftDeletes = 0; $HardDeletes = 0; $UserSoftDeletes = 0
    $Records = (Search-UnifiedAuditLog -Operations "Delete Group" -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)
    If ($Records.Count -eq 0) {
        Write-Host "No audit records for group deletions found." }
    Else {
        Write-Host "Processing" $Records.Count "team deletion audit records..."
        $Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
        # Scan each audit record to extract information
        ForEach ($Rec in $Records) {
          $AuditData = ConvertFrom-Json $Rec.Auditdata
          $User = $AuditData.UserId.Split("_")[0]    
          Foreach ($Prop in $AuditData.ExtendedProperties) { If ($Prop.Name -eq "targetName") { $GroupName = $Prop.Value }}
              Switch ($User)
                "Certificate"  { # Hard delete of a group 
                     $Reason = "Group permanently removed" 
                     $User = $User + " (System Process)" }
                "ServicePrincipal" { #Soft delete - expiration policy 
                     $Reason = "Group removed by expiration policy"
                     $User = $User + " (System Process)" }
                default { #Regular delete by a user 
                     $Reason = "User deleted group" }
              $ReportLine = [PSCustomObject] @{
               TimeStamp = Get-Date($AuditData.CreationTime) -format g
               User      = $User
               Group     = $GroupName 
               Reason    = $Reason
               Action    = $AuditData.Operation
               Status    = $AuditData.ResultStatus }        
          $Report.Add($ReportLine) }
    Write-Host "All done - Group deletion records for the last 90 days"
    Write-Host "User deletions:"     $UserSoftDeletes
    Write-Host "Policy deletions:"   $PolicySoftDeletes
    Write-Host "Group hard deletes:" $HardDeletes
    Write-Host "----------------------"
    $Report | Sort Group, Reason -Unique | Format-Table Timestamp, Group, Reason, User -AutoSize
    0 comments No comments

  2. Glenn Maxwell 10,146 Reputation points

    i am getting the below error i have tried in other browsers as well


    0 comments No comments