Audit Log Discrepancy - Remove-UnifiedGroup Activity

%3CLINGO-SUB%20id%3D%22lingo-sub-171662%22%20slang%3D%22en-US%22%3EAudit%20Log%20Discrepancy%20-%20Remove-UnifiedGroup%20Activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171662%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20S%26amp%3BC%20Center%2C%20I%20can%20do%20an%20Audit%20Log%20search%20and%20I%20see%20an%20activity%20that%20is%20called%26nbsp%3B%3CSPAN%3ERemove-UnifiedGroup.%20I%20would%20like%20to%20find%20all%20of%20these%20activities%2C%20however%2C%20when%20I%20try%20to%20do%20another%20search%20that%20uses%20this%20to%20Filter%2C%20iIdon't%20get%20any%20results%20and%20when%20I%20search%20for%20Deleted%20Group%20(from%20the%20Azure%20AD%20group%20administration%20category)%20this%20activity%20is%20not%20found.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI'm%20guessing%20that%20this%20inconsistency%20is%20caused%20by%20soft%20deletion%20of%20AAD%20groups%20or%20that%20the%20various%20group%20types%20are%20not%20getting%20handled%20correctly.%20Can%20anyone%20confirm%20or%20offer%20any%20insights%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-171662%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171789%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Discrepancy%20-%20Remove-UnifiedGroup%20Activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171789%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20could%20be%20a%20data%20glitch%20with%20audit%20data%20flowing%20into%20the%20audit%20log.%20I'd%20file%20a%20support%20case%20and%20ask%20Microsoft%20to%20check%20things%20out.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPowerShell%20and%20the%20search%20UI%20look%20at%20the%20same%20data.%20I%20see%20the%20same%20in%20both%20places.%20One%20thing%20I%20did%20notice%20is%20that%20you%20see%20a%20Deleted%20Group%20record%20when%20a%20group%20is%20soft-deleted%20and%20a%20Hard%20Delete%20Group%20record%20when%20it%20is%20eventually%20removed%20permanently.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171780%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Discrepancy%20-%20Remove-UnifiedGroup%20Activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171780%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20running%20a%20test%20using%20powershell%2C%20I%20have%20been%20having%20all%20kinds%20of%20other%20issues%20with%20the%20logs%20in%20this%20tenant%20and%20this%20looks%20like%20another%20data%20problem.%20I%20used%20that%20same%20activity%20in%20the%20UI%2C%20and%20did%20not%20get%20the%20expected%20result.%3C%2FP%3E%0A%3CP%3EThis%20image%20shows%20the%20activity%20that%20I%20performed%20(filtered%20by%20my%20account).%20When%20I%20remove%20my%20account%20and%20add%20the%20Deleted%20Group%20activity%20I%20don't%20any%20results.%20When%20I%20run%20the%20script%20you%20provided%20me%20I%20don't%20get%20the%20result%20either.%20If%20i%20change%20my%20date%20range%2C%20i%20get%20some%20results%2C%20but%20not%20the%20event%20shown%20in%20my%20screen%20shot.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20UI%20is%20showing%20the%20event%20that%20occurred%20yesterday%2C%20but%20powershell%20is%20only%20showing%20events%20through%202%20days%20ago.%26nbsp%3BIts%20very%20strange.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171720%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Log%20Discrepancy%20-%20Remove-UnifiedGroup%20Activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171720%22%20slang%3D%22en-US%22%3E%3CP%3EI%20tried%20this%20command%3A%3C%2FP%3E%0A%3CPRE%3ESearch-UnifiedAuditLog%20-startdate%201-Feb-2018%20-EndDate%2013-Mar-2018%26nbsp%3B%20-SessionCommand%20ReturnNextPreviewPage%20-Resultsize%203000%20-RecordType%20AzureActiveDirectory%20-operations%20%22Delete%20group.%22%3C%2FPRE%3E%0A%3CP%3EAnd%20it%20found%20the%202%20instances%20of%20deleted%20groups%20in%20the%20last%2030%20or%20so%20days...%20Both%20on%2012-Feb.%20One%20was%20deleted%20already%20(it%20doesn't%20show%20up%20with%20Get-AzureADMSDeletedGroup)%2C%20the%20other%20is%20available%20for%20restore%20(still).%20The%20operation%20you%20need%20is%20%22Deleted%20Group.%22%20Does%20that%20help%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETR%3C%2FP%3E%3C%2FLINGO-BODY%3E
Respected Contributor

In the S&C Center, I can do an Audit Log search and I see an activity that is called Remove-UnifiedGroup. I would like to find all of these activities, however, when I try to do another search that uses this to Filter, iIdon't get any results and when I search for Deleted Group (from the Azure AD group administration category) this activity is not found. 

 

I'm guessing that this inconsistency is caused by soft deletion of AAD groups or that the various group types are not getting handled correctly. Can anyone confirm or offer any insights?

 

@Tony Redmond

3 Replies

I tried this command:

Search-UnifiedAuditLog -startdate 1-Feb-2018 -EndDate 13-Mar-2018  -SessionCommand ReturnNextPreviewPage -Resultsize 3000 -RecordType AzureActiveDirectory -operations "Delete group."

And it found the 2 instances of deleted groups in the last 30 or so days... Both on 12-Feb. One was deleted already (it doesn't show up with Get-AzureADMSDeletedGroup), the other is available for restore (still). The operation you need is "Deleted Group." Does that help?

 

TR

Thanks for running a test using powershell, I have been having all kinds of other issues with the logs in this tenant and this looks like another data problem. I used that same activity in the UI, and did not get the expected result.

This image shows the activity that I performed (filtered by my account). When I remove my account and add the Deleted Group activity I don't any results. When I run the script you provided me I don't get the result either. If i change my date range, i get some results, but not the event shown in my screen shot. 

The UI is showing the event that occurred yesterday, but powershell is only showing events through 2 days ago. Its very strange.

 

It could be a data glitch with audit data flowing into the audit log. I'd file a support case and ask Microsoft to check things out.

 

PowerShell and the search UI look at the same data. I see the same in both places. One thing I did notice is that you see a Deleted Group record when a group is soft-deleted and a Hard Delete Group record when it is eventually removed permanently.