Forum Discussion
O365 group deletion audit
I'm trying to find out who deleted a group using security and compliance. When I exported the report it's telling me that the group was "Hard deleted" and the userids of the person who deleted the group being "Certificate". I don't have a user called "certificate". Does someone know where this userid came from.
4 Replies
My guess would be that this corresponds to an "expired" group, as in the soft-deleted period has lapsed and an automatic process on Microsoft's side triggered the deletion. But that's just a guess, without being able to see the actual records it's all we can do.
So I went ahead and searched the logs in my tenant for this "Certificate" object, and I can confirm that it's a Microsoft-owned service principal that runs some processes on the backend.
VasilMichev Great digging. It would be nice if Microsoft starts using user-friendly names for their backend principals!
