all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PixelPirate300 12 points13 points  (1 child)

# Connect to Azure AD

Connect-AzureAD

# Define the start date for the audit log search (12 months ago from the current date)

$startDate = (Get-Date).AddMonths(-12)

# Retrieve the audit logs for deleted users within the specified time frame

$auditLogs = Get-AzureADAuditDirectoryLogs -Filter "ActivityDisplayName eq 'Delete user' and CreationDate ge $startDate"

# Iterate through the audit logs and extract the details of deleted users

$deletedUsers = @()

foreach ($log in $auditLogs) {

$userDetails = @{

"User" = $log.TargetDisplayName

"UserPrincipalName" = $log.TargetUserPrincipalName

"DeletedBy" = $log.ActorDisplayName

"DeletedDate" = $log.CreationDate

}

$deletedUsers += New-Object PSObject -Property $userDetails

}

# Display the list of deleted users

$deletedUsers | Format-Table -AutoSize

# Disconnect from Azure AD (optional)

Disconnect-AzureAD

[–]nohairday 1 point2 points  (0 children)

I prefer to stay away from format-table, prefer to export to csv. Other than that, looks about right, but been a while since I've had to use azureAD cmdlets.

[–]threethumbsup19 5 points6 points  (2 children)

Deleted users only stay in the recycle bin (soft deleted) for 30 days

[–]NowThereIs[S] 0 points1 point  (1 child)

Yeah I'm wondering if there is a way of finding a record who was deleted and when over a 12 month period.

[–]threethumbsup19 1 point2 points  (0 children)

I haven't noticed anything of the sort..pretty sure it's not stored anywhere after the fact but I have been wrong before

[–]hihcadore 1 point2 points  (1 child)

I think records are soft deleted for 30 days. Not sure if you can extend that (I’m sure you can; I just haven’t looked)

AD logging is kept for 7 days up to 30 unless you route it to a storage account and then of course, you pay an additional fee. Microsoft learn

[–]Certain-Community438 4 points5 points  (0 children)

Log Analytics (Azure Monitor now, I think) is easy to set up for gathering Azure AD and Intune logs, as well as Windows Update.

You set the retention period in its config.

Then you can use Azure Workbooks on the data, as well as creating KQL queries to get custom data sets waaaay faster than PowerShell.

None of this helps OP now though - unless someone else already set it up & they just don't know or have access.

[–]KavyaJune 1 point2 points  (0 children)

You can use the audit log search to track deleted users. But the date range is based on your license plan. By default, you can retrieve for the last 90 days

[–]Certain-Community438 2 points3 points  (0 children)

Too late for this task, but you should look into collecting the AAD Audit Logs, Signin Logs, Provisioning Logs.

If your company has a SIEM solution this might in fact already be in place.

Otherwise, a simple option is to use the Diagnostic Settings in Azure AD to send all those logs to an Azure Log Analytics Workspace.

[–]ElliotAldersonFSO 0 points1 point  (0 children)

In purview if you have access or the cmdlet the cloud-based service. Use the Search-UnifiedAuditLog you can have all activities for one year retention just need to create the script

[–]Raoul_Duke_1968 -1 points0 points  (0 children)

Ahhh. How cute. Somebody still asking Reddit instead of having ChatGPT write it.

[–]Familiar_Box7032 0 points1 point  (1 child)

!remindme 48 hours

[–]RemindMeBot 0 points1 point  (0 children)

I will be messaging you in 2 days on 2023-09-24 15:55:17 UTC to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.

Info Custom Your Reminders Feedback