Retrieve Hard-Deleted Microsoft 365 Groups Using Graph PowerShell
Tracking who deleted Microsoft 365 groups is essential for auditing and security. With Microsoft Graph PowerShell, you can easily fetch this information by querying audit logs β specifically the GroupManagement category with the event name "Hard Delete group".
This article walks you through a PowerShell script to retrieve details such as:
- π Deleted Time
- π§Ύ Deleted Group Name
- π€ Deleted By
- π Result (Success/Failure)
Script: List Hard-Deleted Groups from Audit Logs
# Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
# Set date range for search (last 7 days; modify as needed)
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
# Initialize result list
$deletedGroups = @()
# Fetch logs from GroupManagement category with "Hard Delete group" event
$logs = Get-MgAuditLogDirectoryAudit -All `
-Filter "category eq 'GroupManagement' and activityDisplayName eq 'Hard Delete group' and activityDateTime ge $startDate and activityDateTime le $endDate"
# Parse results
foreach ($log in $logs) {
# Fallback checks
$groupName = ""
if ($log.TargetResources.Count -gt 0 -and $log.TargetResources[0].DisplayName) {
$groupName = $log.TargetResources[0].DisplayName
}
$deletedBy = ""
if ($log.InitiatedBy -and $log.InitiatedBy.User -and $log.InitiatedBy.User.DisplayName) {
$deletedBy = $log.InitiatedBy.User.DisplayName
}
$result = if ($log.Result -eq "success") { "Success" } else { "Failure" }
# Append object
$deletedGroups += [PSCustomObject]@{
"Deleted Time" = $log.ActivityDateTime
"Deleted Group Name" = $groupName
"Deleted by" = $deletedBy
"Result" = $result
}
}
# Show as table
$deletedGroups | Format-Table -AutoSize
How the Script Works
This script:
- Authenticates with Microsoft Graph using Connect-MgGraph, requesting necessary permissions.
- Defines a date range to pull logs from (last 7 days by default).
- Queries audit logs using Get-MgAuditLogDirectoryAudit, filtering for:
- category eq 'GroupManagement'
- activityDisplayName eq 'Hard Delete group'
- Parses each log entry to extract:
- Timestamp of deletion (ActivityDateTime)
- Name of the deleted group
- User who performed the deletion
- Status of the operation (success or failure)
- Displays the results in a clean table format.
Further Enhancements
You can build on this script with:
- Date Range Prompt
- Export to CSV
Add prompts to let users specify custom start/end dates.
Append this to save the report:
$deletedGroups | Export-Csv "HardDeletedGroups_Audit.csv" -NoTypeInformationCombine with Send-MailMessage to automate report delivery.Integrate into a scheduled task for weekly/monthly audit reporting.
Possible Errors & Solutions
| Error | Cause | Solution |
| A parameter cannot be found that matches parameter name 'ConsistencyLevel' | The cmdlet Get-MgAuditLogDirectoryAudit doesnβt support -ConsistencyLevel | Remove -ConsistencyLevel from the command |
| Unexpected token '?.' | PowerShell version is 5.1 or older | Replace null-safe operators with standard if statements |
| Access Denied or Insufficient privileges | Missing required permissions | Use AuditLog.Read.All and Directory.Read.All scopes when connecting |
Use Cases
- Audit Trail for Compliance
- Security Monitoring
- Helpdesk Reporting
- Admin Visibility
Keep track of who deleted M365 groups and when, especially in regulated industries.
Detect unauthorized or accidental group deletions.
Provide audit evidence during support cases involving group removal.
Improve visibility across tenant activities involving group lifecycle management.
Conclusion
Microsoft 365 administrators must keep an eye on group deletions β especially hard deletions which are permanent. This Graph PowerShell script offers a practical and reliable way to retrieve and audit such activity efficiently.
Whether you're building compliance reports or just adding transparency to your admin operations, this script can serve as a foundation for broader auditing strategies.