How to Detect Deleted User Accounts in Microsoft Entra ID

Native Auditing vs. Netwrix Auditor for Microsoft Entra ID
{{ firstError }}
We care about the security of your data. Please see our Privacy Policy
Native Auditing Netwrix Auditor for Microsoft Entra ID
Native Auditing
Netwrix Auditor for Microsoft Entra ID
Steps
  1. To track user account deletions, log in to your Microsoft Azure portal → Navigate to "Azure Active Directory" → Go to "Users and Groups" → Click "Audit Logs" → Filter the audit log by the "Delete user" activity → Click on the last event with the "Delete user" activity.
  2. To find out who deleted a user from your Azure AD, refer to the "Actor" section. To find out which accounts were deleted, refer to the "Target" section.
Native Audit logs for detecting who deleted user account from Azure AD

 

 

  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Azure AD" section → Select "User Accounts Created and Deleted Directly in Azure AD" → Click "View" → Set the "Actions" filter to "Removed only" and click "View Report".
Netwrix Auditor Report for detecting who deleted user account from Azure AD
  1. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".

 

 

Learn more about Netwrix Auditor for Microsoft Entra ID

Regularly Audit Deleted Users in Microsoft Entra ID to Ensure User Productivity and Reduce Helpdesk Costs

If someone deleted a user account from Microsoft Entra ID, that user would not be able to access any Azure cloud applications. If the user was already logged in, they would lose access to Office 365, SharePoint Online, Exchange Online, other Azure applications and shared folders. By monitoring user accounts deletions in Microsoft Entra ID on a regular basis, IT admins can ensure that all users can log on and access the systems and resources they need, which in turn will reduce the number of helpdesk requests.

Netwrix Auditor for Microsoft Entra ID provides complete visibility into security and configuration changes, including all deletions of user accounts in Microsoft Entra ID, changes to password policies and more. It offers more than 200 easy-to-read predefined reports with filtering, grouping and sorting capabilities that enable you to stay on top of the most critical activity. In particular, the “User Accounts Created and Deleted Directly in Azure AD” report shows which user accounts were removed or created in Microsoft Entra ID and by whom. With that information at hand, you can quickly restore improperly deleted accounts to minimize productivity losses and helpdesk calls. You can also investigate any particular incident more deeply using the Interactive Search capability.

Related How-tos
How to Detect Who Modified Mailbox Permissions in Exchange Online How to Detect Who Deleted a User Account in Active Directory How to Export Active Directory Users to CSV How to Export Active Directory Objects to CSV How to Detect Who Enabled a User Account in Active Directory How to Find Account Lockout Source