- Audit logging in Microsoft Azure is enabled automatically and cannot be disabled. In order to track user account deletions, log in to your Microsoft Azure portal → Navigate to Azure Active Directory → Users and Groups → Audit Logs → Filter the audit log by "Delete user" activity → click on the last event with "Delete user" activity.
- The “Actor” field “Upn” string will show you who deleted a user from your Azure AD and the “Target” field will show you whose account was deleted.
- Run Netwrix Auditor → Click "Reports"" → Azure AD → User Accounts Created and Deleted Directly in Azure AD → Click "View" → Define the actions filter to Removed only and click "View Report".
After that, you will see who deleted a user from your Azure AD.
Regularly Audit Deleted Users in Azure Active Directory to Ensure User Productivity and Reduce Helpdesk Costs
If someone deleted a user account from Azure AD, that user would not be able to access any Azure cloud applications. If the user was already logged in, they would lose access to Office 365, SharePoint Online, Exchange Online, other Azure applications and shared folders. By monitoring user accounts deletions in Azure Active Directory on a regular basis, IT admins can ensure that all users can log on and access the systems and resources they need, which in turn will reduce the number of helpdesk requests.
Netwrix Auditor for Azure AD provides complete visibility into security and configuration changes, including all deletions of user accounts in Azure Active Directory, changes to password policies and more. It offers more than 200 easy-to-read predefined reports with filtering, grouping and sorting capabilities that enable you to stay on top of the most critical activity. In particular, the “User Accounts Created and Deleted Directly in Azure AD” report shows which user accounts were removed or created in Azure AD and by whom. With that information at hand, you can quickly restore improperly deleted accounts to minimize productivity losses and helpdesk calls. You can also investigate any particular incident more deeply using the Interactive Search capability.