Category Archives: Teams

They Thought They Covered Their Tracks: Investigating Deleted Teams Recordings

Posted on by
Reply

What happens when someone deletes a Teams meeting recording, claiming stuff like “oh, it was never recorded”, “well, someone accidentally deleted, but we don’t know who,” or “we think Karen hit the delete key by accident.” This is a great example where the magic of Purview comes in real handy.

There are a couple of essential things to note here. In my example, I created the Teams meeting, and the recording was stored in my OneDrive. If the meeting was created within a Teams-team, the recording will be stored in the associated SharePoint site. In both cases, Purview can be used to track activities; you need to be mindful of the path of the recording.

My OneDrive location:

Teams location:

A personal OneDrive is a SharePoint site; given this, you need the SharePoint path for the Purview audit search. Example path used for the search:
https://taco-my.sharepoint.com/personal/ian_hayse_taco_com/Documents/Recordings/*

How to run the Purview audit search:
Date and time range: Enter a wider range here, keeping in mind UTC is used, not your timezone.
ObjectId (file, folder, or site): The path as noted above.
Activities: Select Recycled file to narrow the results (optional).
Search name: Enter something meaningful to your search.

Click the search button and wait a few minutes for the request to process. If no results are returned, try modifying the path used in the search, i.e., https://taco-my.sharepoint.com/personal/ian_hayse_taco_com/*

Search results

And, now, the fun part. Here we can see who deleted the file and when. Selecting the row will return more detailed information about the activity.



If your company has a document retention policy in place, the deleted content will be sitting in the OneDrive preservation hold library. The preservation hold is a secondary storage location for deleted content, similar to a recycle bin, but with more functionality.
Path: https://taco-my.sharepoint.com/personal/ian_hayse_taco_com/PreservationHoldLibrary/

That’s it, using Purview, you can audit almost every activity a user takes on content in OneDrive, SharePoint, Teams, Power BI, Power Platform, Office online, and even Purview itself.

Users Being Removed from Teams

Posted on by
Reply

Recently, a user asked if I knew why a few user accounts were being removed from a Teams team. I cracked open Purview and fired off an audit search to see what I could find.

Example of the search inputs:
Keyword Search: GUID of the Teams team (you can get this from the Teams admin center or by selecting the three dots to the right of the team name and selecting get link to team, the link has a groupId= value, which is the GUID)
Activities – friendly names: Added members, Removed members
Start: ~90 days back
End: end of today
Search name: something that makes you happy

Start the search and come back after a coffee break. With the search results open, you can see what took place and what process removed the user from the Team.

  1. This is the answer to the original question. It appears a Service Principal removed the account from an AD group. Clicking on the row reveals exactly what process performed the action. In my case, this is an Azure Runbook that cleans up teams permissions.

  2. Microsoft Teams Sync is the workhorse that handles syncing membership to or from the Active Directory (Entra) group associated with the team.