O365 group deletion audit

Copper Contributor

I'm trying to find out who deleted a group using security and compliance.  When I exported the report it's telling me that the group was "Hard deleted" and the userids of the person who deleted the group being "Certificate".  I don't have a user called "certificate".  Does someone know where this userid came from.

4 Replies

My guess would be that this corresponds to an "expired" group, as in the soft-deleted period has lapsed and an automatic process on Microsoft's side triggered the deletion. But that's just a guess, without being able to see the actual records it's all we can do.

So I went ahead and searched the logs in my tenant for this "Certificate" object, and I can confirm that it's a Microsoft-owned service principal that runs some processes on the backend. 

@VasilMichev Great digging. It would be nice if Microsoft starts using user-friendly names for their backend principals! 

No argument there, but it is what it is...