Apr 17 2019 08:20 PM
I'm trying to find out who deleted a group using security and compliance. When I exported the report it's telling me that the group was "Hard deleted" and the userids of the person who deleted the group being "Certificate". I don't have a user called "certificate". Does someone know where this userid came from.
Apr 18 2019 12:19 AM
My guess would be that this corresponds to an "expired" group, as in the soft-deleted period has lapsed and an automatic process on Microsoft's side triggered the deletion. But that's just a guess, without being able to see the actual records it's all we can do.
Apr 18 2019 09:46 AM
So I went ahead and searched the logs in my tenant for this "Certificate" object, and I can confirm that it's a Microsoft-owned service principal that runs some processes on the backend.
Apr 18 2019 11:40 PM
@VasilMichev Great digging. It would be nice if Microsoft starts using user-friendly names for their backend principals!