When you run a sharing report in the SharePoint admin center, you may see entries labeled as “Unknown User” instead of a person’s name or email address. This happens because the user account that performed the sharing action no longer exists in your Microsoft 365 tenant. The user could have been deleted from Azure Active Directory or their license could have been removed. This article explains why the report shows unknown users and how to identify the original user behind those entries.
Key Takeaways: Fixing Unknown Users in SharePoint Sharing Reports
- Azure AD deleted users audit log: Use the Microsoft 365 compliance portal to find the original user principal name (UPN) of the deleted user who triggered the sharing event.
- SharePoint audit log search: Filter by the date of the unknown sharing event and the site URL to narrow down the exact operation and the target user.
- Restore the deleted user: If you need to see the user’s full sharing history, restore the user from Azure AD deleted users within 30 days of deletion.
Why SharePoint Sharing Reports Show Unknown Users
SharePoint stores sharing events with the unique identifier of the user who performed the action, not the user’s display name or email. When a user is deleted from Azure Active Directory, the identifier remains in the audit logs but the user object that maps that identifier to a name is gone. The sharing report then displays “Unknown User” because it cannot resolve the identifier to a known account.
This situation also occurs if a user’s license is removed and the account is disabled but not fully deleted. However, the most common cause is permanent deletion from Azure AD. The audit log retains the event data, but the user lookup fails. The sharing report is not broken; it is showing accurate information based on the available data.
Steps to Identify the Original User Behind Unknown Sharing Events
- Open the Microsoft 365 compliance portal
Go to https://compliance.microsoft.com and sign in with a global admin or compliance admin account. In the left navigation, select Audit under the Solutions section. - Search the audit log for deleted user activity
Set the date range to include the time when the unknown sharing event occurred. In the Activities list, select Deleted user and click Search. Look for the event that matches the approximate time of the sharing report. The audit entry will show the user principal name (UPN) of the deleted user. - Filter the audit log for the specific sharing event
Clear the Activities filter and select Shared file, folder, or site or Shared file, folder, or site with external user. Enter the site URL in the search box if you know it. Find the event that shows the target user or group that was shared with. The User column in the results will show the deleted user’s UPN if the event is still within the 30-day retention window. - Use PowerShell to extract the deleted user details
Open the Exchange Online PowerShell module. Run the commandGet-Mailbox -SoftDeletedMailbox | Format-List Name, WindowsEmailAddress, Identityto list all soft-deleted mailboxes. If the user’s mailbox is still in this list, you can see the original email address. For non-mailbox users, useGet-AzureADDeletedUser -ObjectIdafter obtaining the ObjectId from the audit log. - Restore the deleted user if necessary
If you need to view the user’s full sharing history or re-enable their access, restore the user from Azure AD. Go to Azure Active Directory admin center > Users > Deleted users. Select the user and click Restore user. This action restores the user object and the sharing report will show the user’s name again.
If the Sharing Report Still Shows Unknown Users After the Main Fix
“I restored the user but the report still shows Unknown User”
The sharing report is a snapshot of past events. Restoring a user does not retroactively update the report. The report will show the correct name for future events only. To see the original user for past events, you must use the audit log search as described in the steps above.
“The audit log does not contain the deleted user event”
Audit log retention depends on your Microsoft 365 license. E3 and E5 subscriptions retain audit logs for 90 days. If the user was deleted more than 90 days ago, the event is not available. In that case, the only way to identify the user is through external records such as IT help desk tickets or previous SharePoint site permission reports.
“The sharing event shows Unknown User but the user was not deleted”
This can happen if the user’s account was converted from a cloud-only account to a synced account from on-premises Active Directory. The user object ID changes during the conversion, causing the old events to become orphaned. The fix is to ensure that user account conversions are planned and that the audit logs are cleared or migrated properly.
| Item | Deleted User | Disabled User | Converted User |
|---|---|---|---|
| Cause | User removed from Azure AD | License removed or account blocked | Object ID changed during sync conversion |
| Report shows | Unknown User | Unknown User after 30 days | Unknown User for past events |
| Audit log resolution | Search by Deleted user activity | Search by User sign-in activity | No direct resolution |
| Permanent fix | Restore user within 30 days | Re-enable account or reassign license | Plan conversions and re-create sharing events |
You can now identify any user behind an unknown sharing event in SharePoint by using the audit log in the Microsoft 365 compliance portal. For future events, consider enabling Azure AD user deletion notifications to track when a user is removed. As an advanced tip, set up a PowerShell script that runs weekly to export all deleted users with their ObjectIds and store them in a secure location for later audit reference.