Keeping track of administrative actions within an organization's Microsoft 365 environment is crucial for maintaining security and accountability. One such vital action is the deletion of user accounts. This article introduces a PowerShell script designed to track which admin performed user deletion operations, providing a clear and concise audit trail. We'll explain the script, discuss its use cases, address possible errors, and offer solutions.
The following PowerShell script retrieves directory audit logs related to user deletion actions and formats the results in a readable table:
# Retrieve all directory audit logs related to delete user actions
$deleteUserActions = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete user'"
# Display results in a tabular format
$formattedResults = $deleteUserActions | ForEach-Object {
[PSCustomObject]@{
"Action Time" = $_.ActivityDateTime
"Admin" = $_.InitiatedBy.User.UserPrincipalName
"Deleted User" = $_.TargetResources[0].UserPrincipalName
}
}
$formattedResults | Format-Table -AutoSize
The Script Output
The script starts by retrieving all directory audit logs that are associated with the "Delete user" action:
$deleteUserActions = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete user'"
Here, Get-MgAuditLogDirectoryAudit
is used with a filter to only return logs where the activityDisplayName
is "Delete user". This ensures that we are only focusing on user deletion actions.
Next, the script formats the retrieved logs into a readable table:
$formattedResults = $deleteUserActions | ForEach-Object {
[PSCustomObject]@{
"Action Time" = $_.ActivityDateTime
"Admin" = $_.InitiatedBy.User.UserPrincipalName
"Deleted User" = $_.TargetResources[0].UserPrincipalName
}
}
$formattedResults | Format-Table -AutoSize
ForEach-Object
: Iterates through each audit log entry.PSCustomObject
: Creates a custom object for each entry with three properties:
Finally, the results are displayed in a table format using Format-Table -AutoSize
for better readability.
Symptom: You may encounter an error if your account lacks the necessary permissions to access audit logs.
Solution: Ensure your account has the required roles assigned, such as AuditLog.Read.All
and Directory.Read.All
.
Symptom: The script returns no data or an empty table.
Solution:
Symptom: You receive errors related to API limits or throttling.
Solution: Implement error handling and retry logic to manage API call limits. Consider batching requests if dealing with a large dataset.
Tracking administrative actions such as user deletions is essential for maintaining a secure and compliant Microsoft 365 environment. This PowerShell script provides a straightforward way to audit these actions, ensuring accountability and facilitating security audits. By understanding and using this script, administrators can enhance their organization's security posture and compliance efforts.
Feel free to integrate this script into your administrative toolkit and modify it as necessary to fit your specific needs. Regular audits and monitoring will help you stay on top of administrative activities and quickly respond to any irregularities.
© m365corner.com. All Rights Reserved. Design by HTML Codex