Office Protect Event - Account Deleted

This event warns of any account deletion from Azure Active Directory.


For security: deleting accounts is a very common action for vandal hackers that gain access to an organization.

For internal monitoring: account deletion is often a mistake.


Office Protect includes the name of the admin who deleted the account, in cases when an investigation is required.

Remediation

 

Note that if an account was deleted by mistake, it is possible to restore it through the Azure Portal within 30 days of the deletion. Using a global administrator account for the organization, Select Azure Active Directory, select Users and then select Deleted users.


Users - Deleted users page, with users that can still be restored


If you deem the event suspicious, we recommend monitoring the activity around the Admin user who performed the action, such as the sign-ins of the users, or the action this user has performed in the Audit Logs.


You can find the sign-in audit logs into the Azure AD portal, other audits are logged in the Unified Audit Log, in the Security Center. Note that you will need a Global Administrator to investigate these cases.


Microsoft Documentation on how to restore a deleted user: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore#:~:text=Sign%20in%20to%20the%20Azure,that%20are%20available%20to%20restore.