- To track user account deletions, log in to your Microsoft Azure portal → Navigate to "Azure Active Directory" → Go to "Users and Groups" → Click "Audit Logs" → Filter the audit log by the "Delete user" activity → Click on the last event with the "Delete user" activity.
- To find out who deleted a user from your Azure AD, refer to the "Actor" section. To find out which accounts were deleted, refer to the "Target" section.
- Run Netwrix Auditor → Navigate to "Reports" → Expand the "Azure AD" section → Select "User Accounts Created and Deleted Directly in Azure AD" → Click "View" → Set the "Actions" filter to "Removed only" and click "View Report".
- To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
Regularly Audit Deleted Users in Azure Active Directory to Ensure User Productivity and Reduce Helpdesk Costs
If someone deleted a user account from Azure AD, that user would not be able to access any Azure cloud applications. If the user was already logged in, they would lose access to Office 365, SharePoint Online, Exchange Online, other Azure applications and shared folders. By monitoring user accounts deletions in Azure Active Directory on a regular basis, IT admins can ensure that all users can log on and access the systems and resources they need, which in turn will reduce the number of helpdesk requests.
Netwrix Auditor for Azure AD provides complete visibility into security and configuration changes, including all deletions of user accounts in Azure Active Directory, changes to password policies and more. It offers more than 200 easy-to-read predefined reports with filtering, grouping and sorting capabilities that enable you to stay on top of the most critical activity. In particular, the “User Accounts Created and Deleted Directly in Azure AD” report shows which user accounts were removed or created in Azure AD and by whom. With that information at hand, you can quickly restore improperly deleted accounts to minimize productivity losses and helpdesk calls. You can also investigate any particular incident more deeply using the Interactive Search capability.