Share via

Unified group and team site logs

Glenn Maxwell 10,781 Reputation points
2021-08-20T01:04:34.333+00:00

Hi

One of my team site got deleted and it has been restored back. I want to check the logs who has deleted the team site or unified group. from the compliance search i am getting error. when i use the below syntax i dont see any log related to team site and unified group.

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-20) -Operations "Delete group" | export-csv c:\logs.csv

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,300 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,386 questions
0 comments
Accepted answer
  1. CaseyYang-MSFT 10,341 Reputation points
    2021-08-20T08:25:25.31+00:00

    Hi @Glenn Maxwell ,

    Per my test, you could check who deleted SharePoint Online site by Audit Log Search.

    Microsoft 365 admin center > Compliance > Audit > select delete site in Activities

    My test result:

    124966-1.png

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Glenn Maxwell 10,781 Reputation points
    2021-08-20T05:59:54.287+00:00

    i have not tried the below script will it give the output what i needed 

    CLS; Write-Host "Searching Office 365 Audit Records to find auto-expired group deletions"
$StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date) 
$PolicySoftDeletes = 0; $HardDeletes = 0; $UserSoftDeletes = 0
$Records = (Search-UnifiedAuditLog -Operations "Delete Group" -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No audit records for group deletions found." }
Else {
    Write-Host "Processing" $Records.Count "team deletion audit records..."
    $Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
    # Scan each audit record to extract information
    ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $User = $AuditData.UserId.Split("_")[0]    
      Foreach ($Prop in $AuditData.ExtendedProperties) { If ($Prop.Name -eq "targetName") { $GroupName = $Prop.Value }}
          Switch ($User)
          {
            "Certificate"  { # Hard delete of a group 
                 $HardDeletes++ 
                 $Reason = "Group permanently removed" 
                 $User = $User + " (System Process)" }
            "ServicePrincipal" { #Soft delete - expiration policy 
                 $PolicySoftDeletes++
                 $Reason = "Group removed by expiration policy"
                 $User = $User + " (System Process)" }
            default { #Regular delete by a user 
                 $UserSoftDeletes++ 
                 $Reason = "User deleted group" }
          }       
          $ReportLine = [PSCustomObject] @{
           TimeStamp = Get-Date($AuditData.CreationTime) -format g
           User      = $User
           Group     = $GroupName 
           Reason    = $Reason
           Action    = $AuditData.Operation
           Status    = $AuditData.ResultStatus }        
      $Report.Add($ReportLine) }
}
Cls
Write-Host "All done - Group deletion records for the last 90 days"
Write-Host "User deletions:"     $UserSoftDeletes
Write-Host "Policy deletions:"   $PolicySoftDeletes
Write-Host "Group hard deletes:" $HardDeletes
Write-Host "----------------------"
$Report | Sort Group, Reason -Unique | Format-Table Timestamp, Group, Reason, User -AutoSize
    0 comments
  2. Glenn Maxwell 10,781 Reputation points
    2021-08-25T04:51:11.39+00:00

    i am getting the below error i have tried in other browsers as well

    126160-invalid.jpg

    0 comments