Reporting Team Deletion Events to Office 365 Administrators

Posted on by Tony Redmond

Use Office 365 Audit Log to Report the Deletion of Teams

Idly playing with PowerShell on a dull Friday afternoon in winter, I decided to respond to a question in the Office 365 Facebook group about how to be notified when someone deletes a team. Presumably the requirement exists to allow tenant administrators to leap into action to chastise people who delete teams without asking, or something like that.

My initial response was that this is the same problem as you have when someone deletes an Office 365 Group (each team is a group) and directed the questioner to this 2018 Petri article, which describes how to check groups in a soft-deleted state waiting for their 30-day retention period to expire. During this time, you can rescue a soft-deleted group and return it to full working order.

Office 365 Activity Alerts

The Office 365 Security and Compliance Center includes the ability to create activity alerts (in the Alerts section). These alerts fire when an Office 365 audit record is captured for specific events, like team deletions (Figure 1). When an alert happens, email notifications go to the people specified in the alert to tell them that something’s happened. It all sounds good.

An Office 365 Activity Alert for Team Deletions Report the deletions of Teams
Figure 1: An Office 365 Activity Alert for Team Deletions

The Problems with Activity Alerts

When you access activity alerts in the Security and Compliance Center, you’ll see a banner saying that Microsoft has a better solution (activity policies). Activity alerts have some problems. First, they can fire some time after an event occurs. It all depends when the audit log ingests events from the workload responsible for the monitored activity. Usually the delay is between 15-30 minutes for most Office 365 workloads, but it can be longer. Second, whatever process is responsible for sending the email notifications seems to be asleep for most of the day as the arrival time of the notifications is very unpredictable. You might even say unreliable.

It’s easy to create your own version of activity alerts based on the same data as used by Office 365. First, we look in the Office 365 audit log for team deletion events. Then we distribute the information via email or Teams.

Script to Report Team Deletions

The PowerShell script below searches for team deletion events from the last seven days and stores the information in a list object.

<pre class="lang:ps">CLS; Write-Host "Searching Office 365 Audit Records to find Team deletions"
$StartDate = (Get-Date).AddDays(-7); $EndDate = (Get-Date) 
$Records = (Search-UnifiedAuditLog -Operations TeamDeleted -StartDate $StartDate -EndDate $EndDate -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No audit records for Team deletions found." }
Else {
    Write-Host "Processing" $Records.Count "team deletion audit records..."
    $Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
    # Scan each audit record to extract information
    ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
          $ReportLine = [PSCustomObject] @{
           TimeStamp = Get-Date($AuditData.CreationTime) -format g
           User      = $AuditData.UserId
           Action    = $AuditData.Operation
           Team      = $AuditData.TeamName }
      $Report.Add($ReportLine) }
}
Cls
Write-Host "All done - Team deletion records for the last 90 days"
$Report | Format-Table TimeStamp, Action, Team, User -AutoSize</pre>

Notifying Administrators About Team Deletions

After we know what teams were deleted in the last week, we can use the information stored in the $Report variable to create notifications for administrators that are posted via email or Teams.

Creating and sending email notifications in PowerShell is straightforward (an example is explained here). Remember that the account used to send the message must be enabled for SMTP authentication as otherwise the Send-Message cmdlet will fail.

Posting to a Teams channel can be done using the incoming webhook connector as described in this article. In some respects, it seems appropriate that notifications about deleted teams should be posted to Teams, but I will let you make your own mind up.

The Office 365 Audit log is stuffed full of interesting information to explain how and when things happen inside a tenant. The Office 365 for IT Pros eBook contains many examples of using the audit log to good effect. Subscribe to receive monthly updates full of Office 365 goodness.

6 Replies to “Reporting Team Deletion Events to Office 365 Administrators”

  1. Hi Tony,

    Interesting to know if a Team auto-expiry would also count as a Team Deletion activity and trigger an alert?

    Reply

  2. Hi Tony, would be interested to know whether a auto-expiration of a Team (using Group Expiration Policies) also triggers the same alert? Or does it not count as user activity

    Reply

    1. It would be a different audit event because the removal is of the Office 365 Group, not a team, and is performed by a background process. You’d check for Delete Group operations performed by a process with a name like ServicePrincipal_1342cefb-7a89-4ee2-af90-c8443053e1e8

      Reply
  3. Pingback: Reporting Team Deletion Events to Office 365 Administrators – 365ForAll

  4. How to best alert about channel deletions? We just lost a couple of channels because someone deleted them by accident and people didn’t realize until after the 21 days grace period. I couldn’t find any trigger for that in the alert policy, but the events can be found under Audit.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.