How to Detect Deleted Users in Azure Active Directory?

Azure Active Directory (Azure AD) is a crucial identity and access management service provided by Microsoft. Managing users efficiently, including tracking deletions, is essential for security, compliance, and effective organization of resources. In this article, we’ll explore how to track deleted users in Azure Active Directory to ensure comprehensive user lifecycle management.

Enable Azure AD Audit Logging

Before tracking deleted users, it’s crucial to ensure that Azure AD audit logging is enabled. This feature allows the recording of activities that occur within Azure AD, including user deletions.

  1. Sign in to Azure Portal: Navigate to the Azure portal (https://portal.azure.com) and sign in with your administrative credentials.
  2. Access Azure AD Settings: Navigate to “Azure Active Directory” in the left-hand navigation pane and select “Audit logs” under Monitoring.
  3. Enable Audit Logging: Click on “Turn on audit log” to enable audit logging for your Azure AD. Choose the appropriate retention settings and click Save.

Use Azure AD PowerShell for Tracking

Azure AD PowerShell provides powerful tools to track and manage users, including deleted users.

  1. Connect to Azure AD PowerShell: Open PowerShell and connect to Azure AD using the following command: Connect-AzureAD
  2. List Deleted Users: Use PowerShell to list all deleted users: Get-AzureADMSDeletedUser
  3. Restore Deleted Users: If needed, restore a deleted user using their Object ID: Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID> Replace <ObjectID> with the actual Object ID of the deleted user.

Utilize Azure AD Graph API

Azure AD Graph API allows for programmatic access to Azure AD data, including deleted users.

active directory auditing solutions
  1. Register an Application in Azure AD: Register an application in Azure AD and grant necessary permissions to read deleted users using Azure AD Graph API.
  2. Retrieve Deleted Users: Use the Azure AD Graph API to retrieve information about deleted users:bashCopy codeGET https://graph.windows.net/{tenant_id}/deletedItems/users?api-version=1.6 Replace {tenant_id} with your Azure AD tenant ID.

Monitor Azure AD Audit Logs

Regularly monitor Azure AD audit logs to track user deletions and related activities. The logs can be accessed through the Azure portal.

  1. View Audit Logs: Navigate to “Azure Active Directory” > “Audit logs” in the Azure portal to view and search audit logs related to user deletions.
  2. Filter and Analyze Logs: Filter logs by specific activities (e.g., “Delete user”) and analyze the details to track when and by whom a user was deleted.

Set up Alerts for Deleted Users

Proactively monitor for user deletions by setting up alerts triggered by specific activities in Azure AD.

  1. Create Activity Log Alerts: Navigate to “Azure Active Directory” > “Activity log” in the Azure portal. Click on “Alerts” and create an alert rule specifying the condition for a deleted user.
  2. Configure Notifications: Configure notifications to be informed via email, SMS, or other means when the alert condition is met.

Conclusion

Tracking deleted users in Azure Active Directory is fundamental for maintaining a secure and well-organized identity and access management system. By enabling Azure AD audit logging, utilizing PowerShell and Azure AD Graph API, monitoring audit logs, and setting up alerts, you can effectively track user deletions, respond promptly to any unauthorized actions, and maintain a secure and compliant Azure AD environment for your organization.

Related Posts

error: Content is protected !!