Tracking Admin User Deletion Operations Using Graph PowerShell

Keeping track of administrative actions within an organization's Microsoft 365 environment is crucial for maintaining security and accountability. One such vital action is the deletion of user accounts. This article introduces a PowerShell script designed to track which admin performed user deletion operations, providing a clear and concise audit trail. We'll explain the script, discuss its use cases, address possible errors, and offer solutions.


The Script

The following PowerShell script retrieves directory audit logs related to user deletion actions and formats the results in a readable table:

# Retrieve all directory audit logs related to delete user actions
$deleteUserActions = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete user'"

# Display results in a tabular format
$formattedResults = $deleteUserActions | ForEach-Object {
    [PSCustomObject]@{
        "Action Time"  = $_.ActivityDateTime
        "Admin"        = $_.InitiatedBy.User.UserPrincipalName
        "Deleted User" = $_.TargetResources[0].UserPrincipalName
    }
}

$formattedResults | Format-Table -AutoSize

The Script Output


Script Explanation

Retrieving Audit Logs

The script starts by retrieving all directory audit logs that are associated with the "Delete user" action:

$deleteUserActions = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete user'"

Here, Get-MgAuditLogDirectoryAudit is used with a filter to only return logs where the activityDisplayName is "Delete user". This ensures that we are only focusing on user deletion actions.

Formatting Results

Next, the script formats the retrieved logs into a readable table:

$formattedResults = $deleteUserActions | ForEach-Object {
    [PSCustomObject]@{
        "Action Time"  = $_.ActivityDateTime
        "Admin"        = $_.InitiatedBy.User.UserPrincipalName
        "Deleted User" = $_.TargetResources[0].UserPrincipalName
    }
}

$formattedResults | Format-Table -AutoSize
  • ForEach-Object: Iterates through each audit log entry.
  • PSCustomObject: Creates a custom object for each entry with three properties:
    • Action Time: The date and time when the deletion occurred.
    • Admin: The User Principal Name (UPN) of the admin who performed the deletion.
    • Deleted User: The UPN of the user who was deleted.

Finally, the results are displayed in a table format using Format-Table -AutoSize for better readability.


Use Cases

  • Security Audits: Ensure that only authorized personnel are performing user deletions.
  • Accountability: Maintain a clear record of who performed critical actions in the system.
  • Compliance: Assist in meeting compliance requirements by providing detailed logs of administrative actions.
  • Incident Response: Quickly identify potential security breaches or misconfigurations by reviewing deletion activities.

Possible Errors & Solutions

Error: Insufficient Permissions

Symptom: You may encounter an error if your account lacks the necessary permissions to access audit logs.

Solution: Ensure your account has the required roles assigned, such as AuditLog.Read.All and Directory.Read.All.

Error: No Data Returned

Symptom: The script returns no data or an empty table.

Solution:

  • Check Date Range: Ensure there are deletion actions within the period you're querying.
  • Verify Filter: Double-check the filter criteria to ensure it's correctly specified.

Error: API Limits Exceeded

Symptom: You receive errors related to API limits or throttling.

Solution: Implement error handling and retry logic to manage API call limits. Consider batching requests if dealing with a large dataset.


Conclusion

Tracking administrative actions such as user deletions is essential for maintaining a secure and compliant Microsoft 365 environment. This PowerShell script provides a straightforward way to audit these actions, ensuring accountability and facilitating security audits. By understanding and using this script, administrators can enhance their organization's security posture and compliance efforts.

Feel free to integrate this script into your administrative toolkit and modify it as necessary to fit your specific needs. Regular audits and monitoring will help you stay on top of administrative activities and quickly respond to any irregularities.


Related Articles:

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell

© m365corner.com. All Rights Reserved. Design by HTML Codex