To identify why a user was removed from a dynamic security group, you must monitor both membership changes and changes to the group's definition.

1. Updated group: Dynamic groups use membership rules. If an administrator or process modifies the group's dynamic membership rule (the query), users who no longer meet the criteria are automatically removed. This activity captures changes to the group object properties, including rule updates.
2. Removed member from group: Although dynamic groups are automated, the audit log records the resulting "Remove member" event when the system processes the rule change or when a user's attributes change such that they no longer satisfy the dynamic rule.

Other options like "Deleted group" or "Deleted user" are incorrect as the scenario specifies the group still exists and the user is merely no longer a member.

Microsoft Purview Documentation: "Audit log activities - Azure AD group administration activities." This section details that Updated group tracks modifications to group properties, including dynamic membership rules.

Microsoft Entra ID (Azure AD) Documentation: "Dynamic membership rules for groups." Explains that users are added or removed based on whether they meet rule criteria; these system-driven removals are logged under membership activity.

Microsoft Learn: "Search the audit log in the Microsoft Purview compliance portal." Specifically the "Group administration activities" category which lists Removed member from group as the primary event for tracking member departures.

Microsoft 365 Security & Compliance: "Auditing in Microsoft 365." Confirms that both manual and system-automated changes to directory objects (like dynamic groups) trigger specific audit events.