O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare. These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.

O365Undo requires that you have enabled the Unified Audit Log in Office 365.

If you have done so, O365Undo can reverse the following actions your user took in Onedrive, Sharepoint or an Office 365 Group up till a given date (max time back is when you enabled the Universal Audit Log):

  • FileCopy
  • FileRenamed
  • FileMoved
  • FileModified

How to use

  1. Install the Sharepoint Client Components
  2. Identify the login of the user you wish to target, e.g.: jos.haarbos@lieben.nu
  3. Identity the moment in time you want to go back to (your local time in MM-DD-YYYY HH:MM:SS format)
  4. Do not let the user Modify anything for 15-30 minutes (UA log sync time)
  5. Run the script: .\O365Undo.ps1 -affectedUserLogin jos.haarbos@lieben.nu -infectionDateTime “05-13-2016 00:00:00” -login “jos.haarbos@lieben.nu” -password “Welcome123”
  6. View the screen and/or log in %Appdata% for the results

What it won’t (yet) do:

  1. restore deleted files from the recycle bin
  2. check files back in when checked out
  3. delete new files
  4. rename / move folders


I’m not a real programmer, this code is meant as a Proof Of Concept. I do not guarantee this product will work in your setup, and I offer no dedicated support, I try to help everyone on a best-effort basis but also have to work for a living.

This tool is not actively maintained, make sure you test it before running in a production environment!


O365Undo_V0.5.ps1 (right click, save as)

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Rikard Strand
7 years ago

Found this script today and wanted to give it a try (really smart use of the Audit log). 🙂 However when testing this on a Office 365 group (i.e. a user with changes on Office 365 groups) I got a lot of errors and tried to debug myself but didn’t manage to get it working. From the original script I get errors on both reverse_RenameOrCopy and restore_PreviousVersion function. Error: reverse_RenameOrCopy Join-Path : Cannot find drive. A drive with the name ‘siteszzz-testhttps’ does not exist. At C:tempO365Undo_v0.3.ps1:156 char:24 It seems like it’s trying to build a “wrong” URL somehow (notice siteszzz-testhttps)… Read more »

2 years ago

Hi, Thanks for the post. (I know its been a while since this was posted) I have found this script which i’m hoping to use to restore a Sharepoint library that has had 50k encrypted files uploaded, and 100k files renamed with a crypto extension.

I have a feeling that I am running into an issue with the pure volume of files needing to be adjusted, and was wondering if there was any way to break this down into smaller chunks / subfolders when running the script.



6 years ago

Hi Jos, it works like a charm but I have a problem with renamed files.
Rename or Copy of NewDocumentName.docx to OldDocumentName.docx failed, You cannot call a method on a null-valued expression.
Exception calling “ExecuteQuery” with “0” argument(s): “File Not Found.”

Ruth de Groot
Ruth de Groot
7 years ago

I noticed the same behaviour as Rikard even in version 0.4, the url gets messed up. It looks like the format of the url provided by the auditlog changed recently?
Join-Path : Cannot find drive. A drive with the name ‘personaltest2_imap_company_behttps’ does not exist.
At C:tempO365UndoO365Undo_v0.4.ps1:167 char:28
+ … $fileUrl = Join-Path -Path $fileUrl -ChildPath $newName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (personaltest2_imap_company_behttps:String) [Join-Path], DriveNotFoundException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.JoinPathCommand

I tested the script on a onedrive of a user where I renamed some files for testing.

7 years ago

I get the following message:
C:tempO365Undo.ps1 : A parameter cannot be found that matches parameter name ‘affectedUserLogin’.At line:1 char:16
+ .O365Undo.ps1 -affectedUserLogin xxxxxx@xxxxx.com -infectionDateTi …
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [O365Undo.ps1], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,O365Undo.ps1

Any idea to solve the issue?

Marius Fjeld
Marius Fjeld
7 years ago

Fantastic! Thank you!

7 years ago

I get the error: There was a problem with the Unified Audit Log, The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet

How do I get around this?

Trond Skille
Trond Skille
7 years ago

Hi Jos,
Been trying to use this script today, but it fails:
First line:
Failed to connect to https://tenant.sharepoint.com/, Exception calling “ExecuteQuery” with “0” argument(s): “For security reasons DTD is prohibited in thi
s XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.”
Second line (and ongoing):
Rename or Copy of filename.xlsx.ulentl to filename.xlsx failed, Cannot bind argument to parameter ‘Path’ because it is null.

Do you have any clue? Using a licensed Global Administrator.

Best regards, Trond S.


[…] O365Undo […]

7 years ago

Hello Jos i want to know if you have a solution for undo a sharepoint site by audit like that ? Thank you

Microsoft 365, Azure, Automation & Code

Would love your thoughts, please comment.x