Audit Logs

Question

Hi All

one of my unified group ug@Company portal .com is deleted, i want to know from the audit logs who has deleted the group..

i have tried the below syntax but i could not get the information.

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "Delete Group" | export-csv c:\temp\logs.csv -NotTypeinformation  
  
or  
  
Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "GroupRemoved" | export-csv c:\temp\logs.csv -NotTypeinformation  

how can i export the logs of last 30 days only.

Answer 1

The operation to search for should be "Delete group.", note the dot is mandatory as detailed in the official documentation: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#azure-ad-group-administration-activities
As for limiting the range to 30 days, simply adjust your start date value:

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-30) -Operations "Delete Group." | export-csv c:\temp\logs.csv -NotTypeinformation  

Alternatively, you can narrow the search down by the Group's objectID (-ObjectIds parameter). Or if you don't have the objectId, a free-text search based on the group's name:

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-30) -FreeText groupname