This article explains why a deleted connection in an Auth0 tenant may not appear in logs tied to a specific user. When a Microsoft Active Directory (AD) or other connection is deleted, the action may have been performed using the Management API with a Machine-to-Machine (M2M) token. Actions performed with these tokens are not associated with an individual user account, which prevents the system from identifying the exact person responsible for the deletion.

• Auth0 Dashboard and Management API
• Database / Social connections

Tenant configuration changes, such as deleting or patching a connection, can be executed via the Management API using M2M tokens. Because these tokens are not user-specific, the associated logs record the action type and technical details (e.g., IP address, user agent) but do not contain the information about the actual individual who initiated the change.

To investigate a deleted connection when user-specific logs are not available:

1. Navigate to Dashboard > Monitoring > Logs.

2. Enter the following query in the search field to find all System API (SAPI) logs:

   type:sapi
   

3. Compare the IP address and user agent from the logs with internal deployment or automation tools to determine if the change aligns with a known process.