Audit File Deletion in SharePoint Online: Find Out Who Deleted Files from Office 365 

Often, I get asked how to audit deleted files in SharePoint Online and OneDrive. It’s pretty easy with Office 365 Audit log. If you are still not sure how to track the file deletions and who deleted a file, you’re in the right place.  

 

How to Audit Deleted Files in Office 365? 

Files can be deleted deliberately or accidentally. So, auditing file deletion is crucial to ensure data security. You can use either Office 365 audit log search or PowerShell to find out deleted files. 

Audit log search: By filtering the ‘Deleted file’ operation, you can view the deleted files along with the deletion time and the user who deleted a file. But, the result combines both SharePoint Online and OneDrive You can’t filter and view the deleted operation performed on a specific workload. 

PowerShell: Since PowerShell has more advantages like speedy data retrieval, simple UI, etc., most admins prefer it. The Search-UnifiedAuditLog cmdlet helps you to detect the deleted files in your Office 365 environment. However, you need to use multiple filters and cmdlets to get the desired result.  

To simplify your work, we have written a PowerShell script to audit email deletion. With the in-built filtering params, you can generate a more granular audit report. 

 

Script Download: AuditFileDeletion.ps1 

 

Script Highlights: 

  • The script uses modern authentication to connect to Exchange Online.   
  • The script can be executed with MFA enabled account too.   
  • Exports report results to CSV file.   
  • Helps to generate audit reports for custom periods. 
  • Automatically installs the EXO V2 (if not installed already) upon your confirmation.  
  • The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

File Deletion Audit Report – Sample Output: 

 The exported report contains the following attributes: Deletion Time, Type of Deletion, Deleted File Name, Deleted By, Deleted File Extension, File URL, Site URL, Workload

Audit file deletion in Office 365

 

Audit File Deletion PowerShell Script – Execution Methods: 

You can choose any one of the below methods based on your need. 

Method 1: Execute the script with MFA or non-MFA account. 

 

Method 2: Execute the script by explicitly mentioning credential (Scheduler-friendly). 

If the admin account has MFA, you need to disable MFA using the Conditional Access policy to make this method work. 

  

Unlock the Full Potential of The ‘Audit File Deletion Script’: 

As earlier said, our script supports advanced filtering params to get the desired result quickly. Supported parameters are listed below, 

  • FilesDeletedBy – Identifies files that were deleted by a specific user. 
  • StartDate and EndDate – Helps to generate audit reports for a custom period 
  • SharePointOnline – Audits file deletion in SharePoint Online 
  • OneDrive – To audit deleted files in OneDrive for Business 
  • UserName and Password – Schedules the PowerShell script without interactive login. 

 

Identify Files Deleted by a Specific User: 

To find out files deleted by a particular person, you can run the script with –FilesDeletedBy param along with their UPN. 

The exported report shows all the files deleted by John in the past 90 days.

 

Detect Who Deleted Files from SharePoint Online:

To track who deleted the files from SharePoint, you can use the –SharePointOnline as shown below. 

By referring to this report, admins can restore the deleted files if required. 

 

Find Out Who Deleted Microsoft OneDrive Files: 

To audit file deletion in OneDrive for business, you can run the script with –OneDrive switch param. For example, 

The exported report helps to see who deleted files from OneDrive and when. You can recover deleted files from recycle bin based on your requirement. 

 

Track Deleted Files for a Custom Period: 

By default, the script will retrieve the deleted files for the past 90 days. If you wish to audit file deletion in a specific date range, run the script with –StartDate and –EndDate parameters. 

The above example shows the list of files deleted from Nov 25, 2021 to Dec 01, 2021. 

 

Schedule ‘Audit File Deletion Report’: 

Since Search-UnifiedAuditLog can retrieve file deletion activities performed for the last 90 days, you may require old data for analysis. By automating the script execution, you can keep the audit log for the desired period. 

To schedule PowerShell script in the Task Scheduler, you can follow the below format. 

You can also use any of the supported parameters to get the granular report. If the admin account has MFA, you cannot directly use it for scheduling. You need to disable MFA through the Conditional Access policy to make it work. 

 

Get a Monthly Report on File Deletion: 

Sometimes, important files are deleted unknowingly. In such a case, periodically monitoring the file deletion will help you recover the file before it is permanently deleted from the recycle bin. 

To get a monthly report, execute the script as follows. 

The exported report contains last 30 days audit records of deleted files. 

 

Get More Granular Audit Report: 

You can combine one or more params to get a more granular audit report. For example, 

  • To find deleted files in SharePoint Online in the last 30 days, execute the script as follows 

 

  • To get a list of OneDrive files deleted by a specific person in the past 90 days, run the script as shown below, 

 

I hope this blog will help you in monitoring file deletions in your Microsoft 365 environment. If you have any queries or requirements, you can reach us through the comment section.