Audit File Deletion in SharePoint Online: Find Out Who Deleted Files from Office 365

Often, I get asked how to audit deleted files in SharePoint Online and OneDrive. It’s pretty easy with Office 365 Audit log. If you are still not sure how to track the file deletions and who deleted a file, you’re in the right place.

Files can be deleted deliberately or accidentally. So, auditing file deletion is crucial to ensure data security. You can use either Office 365 audit log search or PowerShell to find out deleted files.

Audit log search: By filtering the ‘Deleted file’ operation, you can view the deleted files along with the deletion time and the user who deleted a file. But, the result combines both SharePoint Online and OneDrive You can’t filter and view the deleted operation performed on a specific workload.

PowerShell: Since PowerShell has more advantages like speedy data retrieval, simple UI, etc., most admins prefer it. The Search-UnifiedAuditLog cmdlet helps you to detect the deleted files in your Office 365 environment. However, you need to use multiple filters and cmdlets to get the desired result.

To simplify your work, we have written a PowerShell script to audit email deletion. With the in-built filtering params, you can generate a more granular audit report.

Script Download: AuditFileDeletion.ps1

• The script uses modern authentication to connect to Exchange Online.
• The script can be executed with MFA enabled account too.
• Exports report results to CSV file.
• Helps to generate audit reports for custom periods.
• Automatically installs the EXO V2 (if not installed already) upon your confirmation.
• The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.

The exported report contains the following attributes: Deletion Time, Type of Deletion, Deleted File Name, Deleted By, Deleted File Extension, File URL, Site URL, Workload

You can choose any one of the below methods based on your need.

Method 1: Execute the script with MFA or non-MFA account.

Method 2: Execute the script by explicitly mentioning credential (Scheduler-friendly).

If the admin account has MFA, you need to disable MFA using the Conditional Access policy to make this method work.

As earlier said, our script supports advanced filtering params to get the desired result quickly. Supported parameters are listed below,

• FilesDeletedBy – Identifies files that were deleted by a specific user.
• StartDate and EndDate – Helps to generate audit reports for a custom period
• SharePointOnline – Audits file deletion in SharePoint Online
• OneDrive – To audit deleted files in OneDrive for Business
• UserName and Password – Schedules the PowerShell script without interactive login.

To find out files deleted by a particular person, you can run the script with –FilesDeletedBy param along with their UPN.

The exported report shows all the files deleted by John in the past 90 days.

To track who deleted the files from SharePoint, you can use the –SharePointOnline as shown below.

By referring to this report, admins can restore the deleted files if required.

To audit file deletion in OneDrive for business, you can run the script with –OneDrive switch param. For example,

The exported report helps to see who deleted files from OneDrive and when. You can recover deleted files from recycle bin based on your requirement.

By default, the script will retrieve the deleted files for the past 90 days. If you wish to audit file deletion in a specific date range, run the script with –StartDate and –EndDate parameters.

The above example shows the list of files deleted from Nov 25, 2021 to Dec 01, 2021.

Since Search-UnifiedAuditLog can retrieve file deletion activities performed for the last 90 days, you may require old data for analysis. By automating the script execution, you can keep the audit log for the desired period.

To schedule PowerShell script in the Task Scheduler, you can follow the below format.

You can also use any of the supported parameters to get the granular report. If the admin account has MFA, you cannot directly use it for scheduling. You need to disable MFA through the Conditional Access policy to make it work.

Sometimes, important files are deleted unknowingly. In such a case, periodically monitoring the file deletion will help you recover the file before it is permanently deleted from the recycle bin.

To get a monthly report, execute the script as follows.

The exported report contains last 30 days audit records of deleted files.

You can combine one or more params to get a more granular audit report. For example,

• To find deleted files in SharePoint Online in the last 30 days, execute the script as follows

• To get a list of OneDrive files deleted by a specific person in the past 90 days, run the script as shown below,

I hope this blog will help you in monitoring file deletions in your Microsoft 365 environment. If you have any queries or requirements, you can reach us through the comment section.

Both audit logs and PowerShell scripts provide raw data, which may require additional processing or analysis to generate actionable insights. AdminDroid’s SharePoint Online file deletion report provides more comprehensive and user-friendly information on file deletions such as file extensions, result status, etc. This comprehensive overview can help administrators better understand and manage file deletions, ensuring the security and integrity of their SharePoint Online environment.

AdminDroid offers the following unique features that enable it to provide comprehensive reports on file deletion.

• Visualizing using charts – AdminDroid’s graphical AI charts offer visual representations of activity patterns and trends, including geo-maps and heat maps, for informed decision-making.
• Automating scheduling of reports – Automate daily monitoring of reports and receive real-time updates via email.
• Delegate access to reports – Delegate access to reports, dashboards, and tenants among team members.
• Exporting in any format – Export reports in various formats like CSV, HTML, and PDF etc.,

The SharePoint Online auditing tool from AdminDroid offer extensive information on SPO operations, including monitoring group memberships, external sharing, site collection memberships, and access-related activities. AdminDroid’s SharePoint Online management tool delivers over 180+ reports on site collections, inactive SPO sites, lists, libraries, and SPO site usage in the organization, empowering administrators to manage SPO environments more efficiently.

Why AdminDroid?

• Explore all the features and functionalities of AdminDroid with the free 15-day premium edition.
• Get access to advanced reporting capabilities that provide comprehensive insights.
• Identify potential issues with AdminDroid alerts and take corrective action with ease.
• Make informed decisions based on accurate data and analysis.

Start your free 15-day trial of AdminDroid today and experience the difference!