Query Details
Microsoft Entra ID User Removal
Query
AuditLogs | where OperationName == "Delete user" // Exclude Accounts deleted via AD Sync, add more exclusions depending on your environment // | where InitiatedBy.user.id != "" // Trim ID from user | extend DeletedUser = substring(TargetResources[0].userPrincipalName, 32) | extend DeletedBy = InitiatedBy.user.userPrincipalName
Explanation
This query looks at the AuditLogs and filters for operations where a user is deleted. It excludes accounts deleted via AD Sync and trims the user ID. It then extends the query to show the user who was deleted and who deleted them.
Details
Wessel Hissink (@WesSec_)
Released: June 7, 2024
Tables
AuditLogs
Keywords
AuditLogs,Delete,User,ADSync,InitiatedBy,TargetResources.
Operators
substring(0indexof(InitiatedBy.user.userPrincipalName"@"))