Audit logs for unified groups

Glenn Maxwell 10,306 Reputation points


One of my team site got deleted and it has been restored back. I want to check the logs who has deleted the team site or unified group. from the compliance search i am getting below error. 126307-invalid.jpg

When i use the below syntax i am getting output. but i am not getting the information as who has deleted the group. how can i export to csv file.
All done - Group deletion records for the last 90 days
User deletions: 123
Policy deletions: 10
Group hard deletes: 14

CLS; Write-Host "Searching Office 365 Audit Records to find auto-expired group deletions"  
 $StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date)   
 $PolicySoftDeletes = 0; $HardDeletes = 0; $UserSoftDeletes = 0  
 $Records = (Search-UnifiedAuditLog -Operations "Delete Group" -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)  
 If ($Records.Count -eq 0) {  
     Write-Host "No audit records for group deletions found." }  
 Else {  
     Write-Host "Processing" $Records.Count "team deletion audit records..."  
     $Report = [System.Collections.Generic.List[Object]]::new() # Create output file   
     # Scan each audit record to extract information  
     ForEach ($Rec in $Records) {  
       $AuditData = ConvertFrom-Json $Rec.Auditdata  
       $User = $AuditData.UserId.Split("_")[0]      
       Foreach ($Prop in $AuditData.ExtendedProperties) { If ($Prop.Name -eq "targetName") { $GroupName = $Prop.Value }}  
           Switch ($User)  
             "Certificate"  { # Hard delete of a group   
                  $Reason = "Group permanently removed"   
                  $User = $User + " (System Process)" }  
             "ServicePrincipal" { #Soft delete - expiration policy   
                  $Reason = "Group removed by expiration policy"  
                  $User = $User + " (System Process)" }  
             default { #Regular delete by a user   
                  $Reason = "User deleted group" }  
           $ReportLine = [PSCustomObject] @{  
            TimeStamp = Get-Date($AuditData.CreationTime) -format g  
            User      = $User  
            Group     = $GroupName   
            Reason    = $Reason  
            Action    = $AuditData.Operation  
            Status    = $AuditData.ResultStatus }          
       $Report.Add($ReportLine) }  
 Write-Host "All done - Group deletion records for the last 90 days"  
 Write-Host "User deletions:"     $UserSoftDeletes  
 Write-Host "Policy deletions:"   $PolicySoftDeletes  
 Write-Host "Group hard deletes:" $HardDeletes  
 Write-Host "----------------------"  
 $Report | Sort Group, Reason -Unique | Format-Table Timestamp, Group, Reason, User -AutoSize  
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,865 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,250 questions
0 comments No comments
{count} votes

Accepted answer
  1. Allen Xu_MSFT 13,781 Reputation points

    Hi @Glenn Maxwell ,

    To the Audit search result issue shown in the screenshot, I couldn‘t reproduce this on my end. I would suggest you open a service request in Microsoft 365 admin center to confirm it with Microsoft.

    To exprot audit report contains activities like "Deleted group" and "Deleted site" to a .csv file, you can use Search-UnifiedAuditLog. The values set after the parameter -Opreations should be "SiteDeleted" corresponding to the activity "Deleted site and "GroupRemoved" corresponding to the activity "Deleted group"(in the Site permissions activities category).

    For example,

    Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "SiteDeleted","GroupRemoved" | export-csv c:\AuditReport.csv  

    For a list of the available values for the parameter -Operations, see Audited activities.

    As per my test, I can find who has deleted the team site or unified group from the UserIds column.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful