Hi @Glenn Maxwell ,
To the Audit search result issue shown in the screenshot, I couldn‘t reproduce this on my end. I would suggest you open a service request in Microsoft 365 admin center to confirm it with Microsoft.
To exprot audit report contains activities like "Deleted group" and "Deleted site" to a .csv file, you can use Search-UnifiedAuditLog. The values set after the parameter -Opreations
should be "SiteDeleted"
corresponding to the activity "Deleted site and "GroupRemoved"
corresponding to the activity "Deleted group"(in the Site permissions activities category).
For example,
Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "SiteDeleted","GroupRemoved" | export-csv c:\AuditReport.csv
For a list of the available values for the parameter -Operations
, see Audited activities.
As per my test, I can find who has deleted the team site or unified group from the UserIds column.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.