ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure Active DirectoryAzure AD Security

How to detect user account deletions in Microsoft Entra ID

Azure Active Directory (Azure AD), currently known as Microsoft Entra ID, is a Microsoft identity and access management service that helps organizations securely manage identities in hybrid and multicloud configurations.

Method 1: Native auditing

  1. Log in to your Microsoft Azure portal using your administrator credentials.
  2. Navigate to Azure Active Directory: You can find this on the sidebar or the main dashboard of the Azure portal.
  3. Go to “Users and Groups”: This section allows you to manage user accounts and groups within your Azure AD.
  4. Access “Audit logs” or “Activity Logs”: This may be a tab or under a menu within the “Users and Groups” section.
  5. Filter audit logs: Use “Delete user” to filter the audit logs and specifically show recent user account deletions.
  6. Review the events: The list will display multiple details, including “Actor” (who deleted the user account) and “Target” (the accounts that were deleted).

Method 2: Using PowerShell

  1. Open PowerShell: Press Start, search for Windows PowerShell, right-click on it, and select “Run as administrator.”
  2. Run the script: Type the following script into the console and press Enter:
Get-AzureADAuditDirectoryLogs -Filter "ActivityDisplayName eq 'Delete user'" | Select-Object Id, UserPrincipalName, UserType, ActivityDisplayName, ActivityDateTime

This script will provide a table showing ID, UserPrincipalName, UserType, ActivityDisplayName, and ActivityDateTime.

Importance of monitoring user account deletions in Microsoft Entra ID

Monitoring the removal of user accounts from Microsoft Entra ID is crucial for maintaining security, compliance, and effective user management within an organization.

Consequences of failing to detect user account deletions

  • Unauthorized access: Undetected deletions may lead to unauthorized access to sensitive information and resources.
  • Security breaches: Inadequate auditing can result in undetected security breaches or compliance violations.
  • Threat detection: Lack of visibility into user behavior patterns makes it difficult to identify and mitigate threats.
  • Insider threats: Neglecting account removal monitoring can leave the organization vulnerable to insider threats or external attacks.
  • Regulatory compliance: Non-compliance with regulatory requirements can lead to penalties, fines, or legal consequences.
  • Data breaches: Insufficient security measures can result in data breaches, reputation damage, and financial losses.
  • Adaptability: Without proactive security measures, organizations may struggle to adapt to evolving cybersecurity threats.

Monitoring user account deletions not only facilitates easy access to Azure cloud apps but also protects critical systems like Office 365, ensuring continuous operation. By implementing strong auditing processes, administrators can identify unusual activity and take immediate action. This granular visibility enhances security posture and fosters an accountability culture, ensuring compliance with organizational laws and regulations.

Organizations that prioritize regular audits can reduce helpdesk requests, strengthen security measures, and improve user access control operations. Monitoring user account deletions ensures the integrity of the digital environment, bolsters defenses against malicious actors, and adheres to compliance rules. This proactive strategy protects organizational assets and paves the way for long-term growth and innovation.

Related posts
Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to register apps using Microsoft Entra ID

Azure Active DirectoryAzure AD Security

How to monitor and report security events in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to implement device enrollemnt via Microsoft Intune


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.