What is SharePoint file deletion auditing? SharePoint file deletion auditing tracks when files are removed and identifies the account responsible. This capability is essential for security investigations, compliance requirements, and protecting sensitive data from unauthorized deletion.
Deletion of a file from your SharePoint site by an authorized user or by an attacker using a compromised account can result in the loss of sensitive data. It is therefore essential to be able to monitor the deletion of files and have the ability to identify the name of the account that was used. Using this information, administrators can determine whether the deletion was legitimate, accidental, or performed through a compromised user account. Once investigated, an appropriate response can be taken. For example, it may be necessary to limit the user’s access to sensitive data stored on SharePoint or put an immediate stop to any suspicious activity.
In this guide, we will look at two methods for detecting who deleted a file on your SharePoint: using the native method and a more straightforward approach using the Lepide Auditor for SharePoint.
Note: The native auditing approach differs significantly between SharePoint Online and SharePoint Server. SharePoint Online uses Microsoft Purview’s centralized audit log, while SharePoint Server requires enabling auditing at the site collection level.
Using the Native Method
Check File Deletion on SharePoint Online
Audit Log Retention: Microsoft Purview Audit (Standard) retains audit records for 180 days for most Microsoft 365 enterprise subscriptions. Microsoft Purview Audit (Premium), available with eligible Microsoft 365 E5 licenses or add-ons, provides longer retention periods and additional auditing capabilities.
Please follow below steps:
- Navigate to the Microsoft Purview compliance portal at https://compliance.microsoft.com/
- In the left navigation, go to Solutions > Audit
- On the Audit page, apply filters as required (date range, activities, users)
- Click Search to generate the query
- Click a search result to view the matching audit events.
- Add further filters as needed and optionally export the search results as a CSV file for further analysis..
Here is an example of a generated query:
Note: File deletion events are recorded only after Microsoft Purview auditing is enabled for your tenant (enabled by default in most modern Microsoft 365 tenants).
Check File Deletion on SharePoint Server
Audit Log Retention: SharePoint Server retention depends on administrator configuration. The default is zero days, meaning logs are deleted at month-end unless a retention period is specified.
Please follow below steps:
- Navigate to Site Settings > Site Collection Administration > Site collection features
- Locate Reporting and click Activate
- Navigate to Site Settings > Site Collection Administration > Site collection audit settings
- Under Documents and Items, enable Deleting or restoring items, then click OK.
- Navigate to Site Settings > Site Collection Administration
- Go to Audit log reports, select Deletions
- Open the generated report in MS Excel

How Lepide Auditor Helps
A more straightforward way to report on deleted files on SharePoint is to use the Lepide Auditor for SharePoint. Here you can run the Document Deleted report to see all documents which have been deleted over a specified time period.
Here is an example of the Document Deleted Report:
The report includes information about the File Name, Location, Who deleted it, When it was deleted, What was deleted and from Where.
To run the report:
- From the States & Behavior screen, select SharePoint Online Modification Reports, Document Deleted
- Specify a date range and click Generate Report
- The report can be grouped, sorted, filtered, exported, and saved
Here is an example of the Document Deleted Report for SharePoint On Premise/Server:
The report includes information about the Document Name, Document Location, Who deleted it, When it was deleted, What was deleted and from Where.
To run the report:
- From the States & Behavior screen, select Document Reports, Document Deleted
- Specify a date range and click Generate Report
- The report can be grouped, sorted, filtered, exported, and saved
Comparison: Native Method vs. Lepide Auditor
Frequently Asked Questions
For SharePoint Online, audit log retention depends on the Microsoft Purview Audit licensing level. Audit (Standard) provides 180-day retention for most organizations, while Audit (Premium) supports extended retention and advanced auditing capabilities. For SharePoint Server, retention depends on administrator configuration; the default is zero days, meaning logs are deleted at month-end unless otherwise specified.
Yes, deleted files can typically be recovered from the SharePoint Recycle Bin within 93 days of deletion. Site collection administrators can also restore items from the second-stage Recycle Bin if users have emptied their personal Recycle Bin.
Yes, for SharePoint Online, you need the View-Only Audit Logs or Audit Logs role in Microsoft Purview. For SharePoint Server, you must be a site collection administrator to access audit log reports.