Forum Discussion
Finding who deleted a message from a Microsoft 365 Group
We recently had a very bad experience, in a Microsoft 365 group, a user deleted all emails by mistake. The recover has been done via PowerScript, but how do we find which user did the wrong action, i...
Accessing items is not audited for Groups, deleting items is. You can refer to the following table for more details: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide#mailbox-actions-for-microsoft-365-group-mailboxes
If the above query doesn't return any details, you can try extending the date range. And double-check the ExchangeGUID value, Alternatively, you can try exporting the full set of audit records, either via PowerShell or the UI, and filter the results afterwards. Here's how to do this via the UI: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide
If the above query doesn't return any details, you can try extending the date range. And double-check the ExchangeGUID value, Alternatively, you can try exporting the full set of audit records, either via PowerShell or the UI, and filter the results afterwards. Here's how to do this via the UI: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide
So , is there a powershell command to find users, time that deleted from a microsoft 365 group messages? Tried many commands but nothing .... Also searched Audit from BS 365 Defender or Azure nothing als ... or something I do wrong...
The cmdlet above should work. Here's an example from my tenant:
If you are not getting any results, expand the search criteria. Remove the -RecordType parameter to cover even more scenarios.