Are you interested in identifying who deleted a SharePoint Online site?
In SharePoint Online, knowing who made changes or deletions is crucial for maintaining data integrity and ensuring accountability. SharePoint Online, provides a robust environment for teams to collaborate, but occasional deletions can lead to data loss and confusion.
In this guide, you will be taken through various ways to find who deleted a SharePoint Online site and how to use PowerShell to retrieve the information.
Check Who deleted SharePoint Sites from SharePoint Admin Center
Before checking who deleted a SharePoint site. It is important to know who has the privilege to delete a SharePoint site. The types of SharePoint site and who can delete the site include:
- Team Site with a Microsoft 365 Group – Team Owner (being a Site Owner is not enough)
- Team Site without a Microsoft 365 Group – Site Owner
- Communication Site – Site Owner
- Private Channel Site – Team Owner or Channel Owner
- Shared Channel Site – Team Owner or Channel Owner
Also, it is important to note that SharePoint sites can be deleted as part of a site policies, Office 365 group deletion, etc.
To find out who deleted a SharePoint site collection, follow these steps:
- Login to your Office 365 account
- Click on the App launcher at the top left corner of your page.
- Click on Admin.
- This will redirect you to the Microsoft 365 admin center. Scroll down and click on Show more.
- Click on SharePoint. This will further redirect you to the SharePoint admin center.
- Click on Deleted sites.
This will display all the deleted sites in the logged in Office 365 account.
📝 Note: To check who deleted a site with this option, you must have admin privileges.
On the displayed deleted sites, Locate the columns and you will see Deleted by and Time deleted which shows the user who deleted the SharePoint sites and the time it was deleted.
The columns also contain other important information of the deleted SharePoint sites such as Created by, Date created and Created from.
Check Who deleted SharePoint Sites Using PowerShell
When it comes to investigating file deletions in SharePoint, PowerShell emerges as a formidable ally for administrators. To check who deleted a SharePoint site using PowerShell, you can use the Get-SPODeletedSite
cmdlet to return all deleted site collections that match the given criteria from the Recycle Bin. To understand how it seamlessly connects to your SharePoint site and extracts valuable information about deleted site.
Connect-SPOService -Url "https://<TENANT-NAME>-admin.sharepoint.com" -Credential <your-creds>
- To begin, establish a connection to your SharePoint Online site using the Connect-SPOService cmdlet. Provide the URL of your admin site and your credentials as parameters. This ensures that you have the necessary permission to retrieve information about deleted sites. Click on Enter afterward.
$deletedSites = Get-SPODeletedSite -Identity "https://<TENANT-NAME>.sharepoint.com/sites/<YOUR-SITE>"
- Use the
Get-SPODeletedSite
cmdlet to fetch information about deleted site collections. Specify the URL of the deleted site you want to investigate within the <YOUR-SITE> parameter. The result is stored in the$deletedSites
variable.
$deletedSites | Format-Table -Property Url, DeletedBy, DeletedDate
- Now that you have the information about the deleted site collections, use the
Format-Table
cmdlet to display specific properties in a tabular format. The properties include the URL of the deleted site (Url
), the name of the individual who deleted the site (DeletedBy
), and the date of deletion (DeletedDate
).
By following these steps, you can efficiently identify and retrieve details about deleted SharePoint sites using PowerShell. This script empowers SharePoint administrators to track changes, ensuring accountability and facilitating better management of SharePoint Online environments.
If you want to find who deleted files in SharePoint from the Recycle Bin, you can use the Get-PnPRecycleBinItem
cmdlet to get all the deleted items and their properties, such as the file name, the deleted by name, and the deleted date.
You can then store the results in a custom object and export them to a CSV file or display them in a table. To do this, follow these steps:
# Connect to the SharePoint Online site using your credentials
Connect-PnPOnline -Url "https://<TENANT-NAME>.sharepoint.com/sites/<YOUR-SITE>" -Credentials <your-creds>
# Get the deleted items from the Recycle Bin
$deletedItems = Get-PnPRecycleBinItem
# Create a custom object to store the properties of the deleted items
$results = @()
foreach($item in $deletedItems)
{
$results += [pscustomobject]@{
fileName = $item.LeafName
deletedBy = $item.DeletedByName
deletedDate = $item.DeletedDate
}
}
# Export the results to a CSV file
$results | Export-Csv -Path "C:\DeletedItems.csv" -NoTypeInformation
# Display the results in a table
$results | Format-Table -Property fileName, deletedBy, deletedDate
The script uses the Connect-PnPOnline
cmdlet to connect to the SharePoint Online site using your credentials. You need to replace the <TENANT-NAME> and <your-creds> placeholders with your actual values.
Then, it uses the Get-PnPRecycleBinItem
cmdlet to get the deleted items from the Recycle Bin. Next, it creates a custom object to store the properties of the deleted items, such as the file name, the deleted by name, and the deleted date.
After that, it exports the results to a CSV file using the Export-Csv cmdlet. You can change the path of the file as per your preference. Finally, it displays the results in a table using the Format-Table cmdlet.
Another way to check who deleted a SharePoint site is to analyze the IIS logs on the web front end server for the specific URL “/_layouts/15/webdeleted.aspx” that gets called when a user deletes the site from the site settings page. PowerShell script scans through all the IIS files of a given web application. Follow these steps:
Import-Module WebAdministration
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
- These lines import the necessary PowerShell modules for working with web administration and SharePoint. The
-ErrorAction SilentlyContinue
suppresses errors if the SharePoint module is already loaded.
Function Get-IISLogFolder($WebAppURL)
{
#Get Web Applications' IIS Settings
$WebApp = Get-SPWebApplication $WebAppURL
$IISSettings = $WebApp.IISSettings[[Microsoft.SharePoint.Administration.SPUrlZone]::Default]
$WebSiteName = $IISSettings.ServerComment
#Get Log Folder from Web Site
$WebSite = Get-Website -Name $WebSiteName
$LogLocation = "$($WebSite.LogFile.Directory)\w3svc$($WebSite.id)".Replace("%SystemDrive%",$Env:SystemDrive)
Return $LogLocation
}
- This function takes a SharePoint web application URL as a parameter and retrieves the corresponding IIS log folder path.
Function Parse-IISLog {
[CmdletBinding()]
[OutputType([System.Data.DataTable])]
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)][string[]]$LogFilePath
)
BEGIN {
$LogDataTable = New-Object System.Data.DataTable
$FieldsString = Get-Content -Path $LogFilePath | Select -First 5 | Where {$_ -Like "#[F]*"}
$Fields = $FieldsString.substring(9).split(' ');
$FieldsCount = $Fields.count - 1
}
PROCESS {
for($i=0;$i -lt $FieldsCount;$i++) {
$LogDataTable.Columns.Add($Fields[$i]) | Out-Null
}
$Content = Get-Content -Path $LogFilePath | Where {$_ -notLike "#[D,S,V,F]*" } | ForEach-Object {
$Row = $LogDataTable.NewRow()
for($i=0;$i -lt $FieldsCount;$i++) {
$Row[$i] = $_.Split(' ')[$i]
}
$LogDataTable.Rows.Add($row)
}
}
END {
$PSCmdlet.WriteObject($LogDataTable)
}
}
- This function parses an IIS log file and converts its content into a DataTable.
Function Search-IISLogs($WebAppURL, [String]$SearchURL)
{
#Get IIS Log Folder
$IISLogFolder = Get-IISLogFolder $WebAppURL
#Get IIS Log files created in the past 30 days
$IISLogFiles = Get-ChildItem -Path $IISLogFolder -Recurse | Where {$_.CreationTime -Gt (Get-Date).AddDays(-30)}
ForEach($LogFile in $IISLogFiles)
{
Write-host "Processing Log File:"$LogFile.FullName -f Yellow
$IISLogData = Parse-IISLog $LogFile.FullName
#Search Data
$SearchResults = New-Object System.Data.DataView($IISLogData)
$SearchResults.RowFilter = "[cs-uri-stem] like '%$SearchURL%'"
#Result
If ($SearchResults.Count -gt 0)
{
Write-Host "`tFound Site Deletion!" -ForegroundColor Green
$SearchResults | Select date, time, cs-uri-stem, cs-username, "cs(Referer)" | Format-Table
}
Else
{
Write-Host "`tNo Site Deletions Found!" -ForegroundColor DarkYellow
}
}
}
- This function searches IIS logs for a given URL within the specified SharePoint web application. It uses the previously defined functions to get the log folder, parse the log files, and filter the results based on the search URL.
$WebAppURL="your_sharepoint_site"
- This section sets the default value for the $WebAppURL parameter, representing the SharePoint web application URL.
Search-IISLogs $WebAppURL "/_layouts/15/webdeleted.aspx"
- Finally, this line calls the Search-IISLogs function with the specified parameters. It searches for occurrences of “/_layouts/15/webdeleted.aspx” in the IIS logs of the specified SharePoint web application and displays the results.
The script essentially provides a mechanism to search IIS logs for a specific URL related to site deletions in a SharePoint web application and presents the findings in a readable format.
If the site collection is deleted from the central Admin, change the last two lines of the above script:
#Call the function to search deleted sites from Central Admin
$CentralAdminURL = Get-SPWebApplication -IncludeCentralAdministration | Where {$_.IsAdministrationWebApplication} | Select -ExpandProperty URL
Search-IISLogs $CentralAdminURL "/_admin/delsite.aspx"
Conclusions
Ensuring the security and integrity of SharePoint Online data is paramount, and being able to identify who deleted a site is crucial for effective administration.
This guide has outlined two methods to achieve this: first, through the SharePoint Admin Center, where administrators can access a detailed history of deleted sites, including information on who initiated the deletion.
Second, by leveraging the power of PowerShell, administrators can programmatically retrieve this information using the Get-SPODeletedSite
cmdlet, offering a scalable and efficient solution.
Whether through the user-friendly interface of the SharePoint Admin Center or the script-driven capabilities of PowerShell, administrators have versatile tools at their disposal to track and trace site deletions, ensuring a secure and accountable SharePoint Online environment.
0 Comments