Users Being Removed from Teams

Recently, a user asked if I knew why a few user accounts were being removed from a Teams team. I cracked open Purview and fired off an audit search to see what I could find.

Example of the search inputs:
Keyword Search: GUID of the Teams team (you can get this from the Teams admin center or by selecting the three dots to the right of the team name and selecting get link to team, the link has a groupId= value, which is the GUID)
Activities – friendly names: Added members, Removed members
Start: ~90 days back
End: end of today
Search name: something that makes you happy

Start the search and come back after a coffee break. With the search results open, you can see what took place and what process removed the user from the Team.

  1. This is the answer to the original question. It appears a Service Principal removed the account from an AD group. Clicking on the row reveals exactly what process performed the action. In my case, this is an Azure Runbook that cleans up teams permissions.

  2. Microsoft Teams Sync is the workhorse that handles syncing membership to or from the Active Directory (Entra) group associated with the team.

How to Audit Power Platform and SharePoint

This post will be an ongoing adventure into using Microsoft Purview to audit, track, review, and learn about updates to objects within the Power Platform. My adventure into this tool was prompted by my in-house security teams asking if I could help identify if a specific SharePoint list had been viewed and who viewed it. In SharePoint on-prem, this sort of info could be mined in a site, but with SharePoint Online, the auditing is offloaded to Purview.

To kick things off, I will run a report to see who has accessed my SharePoint Dev site this week. From the audit page, you can set a date range for your search and select activities like deleting a file or adding someone to a group; for the file, folder, or site box, you enter the site you want to target. Last but not least is the user’s box; this one is self-explanatory.

Search results are ready for viewing:

The results show that a user created a list item and then viewed the list a few times.


The audit logs are held for ~90 days; outside variables can impact this. Here is a warning if you try to search for items older than 90 days:

Audit log retention policies might impact search results. Activities that happened over 90 days ago will only show up in results for users who have licensing for long-term audit log retention.

That’s it for now; as you can see, this tool can be extremely valuable, especially when dealing with audits or if data magically goes missing.

Future updates to this article will show how to track changes to SharePoint lists, dataverse objects, Power BI, Power Automate (Flow), and more!

URL to access the compliance center / Purview: https://compliance.microsoft.com/auditlogsearch

Here is a new post showing how to search a single library in SharePoint:
https://www.sharepointed.com/2024/03/sharepoint-audit-using-purview/