question

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 asked GlennMaxwell-2309 answered

Unified group and team site logs

Hi

One of my team site got deleted and it has been restored back. I want to check the logs who has deleted the team site or unified group. from the compliance search i am getting error. when i use the below syntax i dont see any log related to team site and unified group.

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-20) -Operations "Delete group" | export-csv c:\logs.csv

office-sharepoint-onlineoffice-exchange-online-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CaseyYangMSFT-4714 avatar image
0 Votes"
CaseyYangMSFT-4714 answered CaseyYangMSFT-4714 commented

Hi @GlennMaxwell-2309,

Per my test, you could check who deleted SharePoint Online site by Audit Log Search.

Microsoft 365 admin center > Compliance > Audit > select delete site in Activities

My test result:

124966-1.png


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (22.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GlennMaxwell-2309,

I'm checking how the things are going on about this issue. Is there any progress on this issue?

0 Votes 0 ·
GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered

i have not tried the below script will it give the output what i needed

 CLS; Write-Host "Searching Office 365 Audit Records to find auto-expired group deletions"
 $StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date) 
 $PolicySoftDeletes = 0; $HardDeletes = 0; $UserSoftDeletes = 0
 $Records = (Search-UnifiedAuditLog -Operations "Delete Group" -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)
 If ($Records.Count -eq 0) {
     Write-Host "No audit records for group deletions found." }
 Else {
     Write-Host "Processing" $Records.Count "team deletion audit records..."
     $Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
     # Scan each audit record to extract information
     ForEach ($Rec in $Records) {
       $AuditData = ConvertFrom-Json $Rec.Auditdata
       $User = $AuditData.UserId.Split("_")[0]    
       Foreach ($Prop in $AuditData.ExtendedProperties) { If ($Prop.Name -eq "targetName") { $GroupName = $Prop.Value }}
           Switch ($User)
           {
             "Certificate"  { # Hard delete of a group 
                  $HardDeletes++ 
                  $Reason = "Group permanently removed" 
                  $User = $User + " (System Process)" }
             "ServicePrincipal" { #Soft delete - expiration policy 
                  $PolicySoftDeletes++
                  $Reason = "Group removed by expiration policy"
                  $User = $User + " (System Process)" }
             default { #Regular delete by a user 
                  $UserSoftDeletes++ 
                  $Reason = "User deleted group" }
           }       
           $ReportLine = [PSCustomObject] @{
            TimeStamp = Get-Date($AuditData.CreationTime) -format g
            User      = $User
            Group     = $GroupName 
            Reason    = $Reason
            Action    = $AuditData.Operation
            Status    = $AuditData.ResultStatus }        
       $Report.Add($ReportLine) }
 }
 Cls
 Write-Host "All done - Group deletion records for the last 90 days"
 Write-Host "User deletions:"     $UserSoftDeletes
 Write-Host "Policy deletions:"   $PolicySoftDeletes
 Write-Host "Group hard deletes:" $HardDeletes
 Write-Host "----------------------"
 $Report | Sort Group, Reason -Unique | Format-Table Timestamp, Group, Reason, User -AutoSize
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered

i am getting the below error i have tried in other browsers as well

126160-invalid.jpg



invalid.jpg (28.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.