Tracking Recently Deleted Microsoft 365 Users

Managing a Microsoft 365 environment can be challenging, especially when dealing with user accounts. Ensuring proper visibility into recently deleted users can save time and protect your organization from potential risks. That’s where our Recently Deleted Users tool steps in to simplify the process.

What Defines a Recently Deleted User in Microsoft 365?

In Microsoft 365, a “recently deleted user” refers to a user account that has been removed from the tenant within a specific retention period. By default, deleted user accounts are retained in the Azure Active Directory Recycle Bin for up to 30 days.

Criteria and Time Frames for Recently Deleted Users

When a user is deleted from Microsoft 365, their account enters a "soft delete" state. During this period, the account can be:

• Restored to its original state if needed.
• Permanently removed after the retention period expires.

Key criteria for identifying recently deleted users include:

• Account Name: Display name, first name, or last name.
• UserPrincipalName (UPN): The unique sign-in ID for the user.
• Email Address: Associated email address.
• Deletion Date: The exact date and time the user was removed.

Benefits of Tracking Recently Deleted Users

Why should you monitor recently deleted users? Here are some compelling reasons:

• Prevent Unauthorized Restorations: : Ensure deleted accounts are not reinstated without proper authorization.
• Compliance and Auditing: Maintain records for audit trails to meet compliance requirements.
• Proactive Risk Management: Identify suspicious account deletions and act promptly.
• Improved Operational Efficiency: Quickly locate recently deleted accounts during audits or administrative checks.

How to Track Recently Created Users

Microsoft 365 administrators can track recently created users using various methods:

Using Microsoft Entra admin center: You need to do the following:

1. Select "Identity" from Admin Centers. Microsoft Entra admin center opens up.

2. Search for "audit logs".

3. Click "Category" and select "UserManagement".

Using PowerShell Scripts: With the Microsoft Graph PowerShell module, you can query recently deleted users programmatically.

# Ensure the Microsoft.Graph module is installed and imported
Install-Module -Name Microsoft.Graph -Force -AllowClobber
Import-Module Microsoft.Graph
                                                
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All"
                                                
# Define the date range for fetching deleted users (customize as needed)
$startDateTime = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Past 30 days

# Fetch all DirectoryAudit logs in the past 30 days (without filter for 'Delete User')
$allAuditLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDateTime ge $startDateTime"

# Create an array to store the formatted results
$deletedUserDetails = @()

# Loop through the audit logs to find 'Delete User' events
foreach ($event in $allAuditLogs) {
    if ($event.ActivityDisplayName -eq 'Delete User') {
        $deletedTime = $event.ActivityDateTime
        $deletedUser = ($event.TargetResources | Where-Object { $_.UserPrincipalName }).UserPrincipalName
        $deletedBy = $event.InitiatedBy.User.UserPrincipalName
        $resultStatus = if ($event.Result -eq 'success') { 'Success' } else { 'Failed' }

        # Create an object for each record
        $userDetail = [pscustomobject]@{
            "Deleted Time"  = $deletedTime
            "Deleted User"  = $deletedUser
            "Deleted By"    = $deletedBy
            "Result Status" = $resultStatus
        }

        # Add the object to the results array
        $deletedUserDetails += $userDetail
    }
}

# Output the results in a tabular format
if ($deletedUserDetails.Count -eq 0) {
    Write-Host "No deleted user events found in the given date range."
} else {
    $deletedUserDetails | Format-Table -AutoSize
}

Although powerful, using PowerShell requires expertise, and the output lacks advanced reporting or filter-based functionalities.

Introducing Recently Deleted Users Tool

To overcome these limitations, we’re thrilled to introduce the Recently Deleted Users Tool — a robust solution designed to simplify the tracking and management of recently deleted users.

Key Features:

• Search Functionality: Locate deleted users using first name, last name, UPN, mail, or display name.
• Date-Based Filtering: Narrow down results by specifying a custom date interval.
• Comprehensive Reporting: Generate detailed reports of recently deleted users.
• Export Options: Download reports as CSV files for offline analysis.
• Email Notifications: Automatically mail reports to administrators.

Why Choose This Tool?

Unlike traditional PowerShell scripts or admin center reports, this tool simplifies the process, enabling administrators of all skill levels to gain actionable insights in minutes.

• User-Friendly Interface: Intuitive design for admins of all skill levels.
• Enhanced Productivity: Save time by avoiding manual log filtering or PowerShell scripting.
• Comprehensive Insights: Access rich metadata for informed decision-making.
• Free and Accessible: Start using it instantly without any setup costs.

Start Using the Recently Deleted Users Tool Today!

Tracking deleted users has never been easier! With our Recently Deleted Users Tool, you gain complete control over user account deletions in your Microsoft 365 environment. Say goodbye to tedious log filtering and scripting—our tool provides everything you need, right at your fingertips.