2 minutes reading time (488 words)

Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog

Tuesday, 18 April 2023

209 Hits

How to use PowerShell Search-MailboxAuditLog to search the mailbox audit log and find out who moved or deleted emails in an Office 365 shared mailbox.

Get mailbox audit log search PowerShell script

Copy the PowerShell script for searching mailbox audit logs from Microsoft
Save the script to C:\Temp\Run-MailboxAuditLogSearcher.ps1

How to use mailbox audit logs in Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs

# Run-MailboxAuditLogSearcher.ps1
param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$Mailbox,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$StartDate,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$EndDate,
[PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)]
[string]$Subject,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$IncludeFolderBind,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$ReturnObject)
BEGIN {
  [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult')
  }
  END {
    if ($ReturnObject)
    {return $SearchResults}
    elseif ($SearchResults.count -gt 0)
    {
    $Date = get-date -Format yyMMdd_HHmmss
    $OutFileName = "AuditLogResults$Date.csv"
    write-host
    write-host -fore green "Posting results to file: $OutfileName"
    $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8
    }
    }
    PROCESS
    {
    write-host -fore green 'Searching Mailbox Audit Logs...'
    $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000)
    write-host -fore green '$($SearchREsults.Count) Total entries Found'
    if (-not $IncludeFolderBind)
    {
    write-host -fore green 'Removing FolderBind operations.'
    $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}},
    @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}}))
    $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp')
    If ($Subject -ne '' -and $Subject -ne $null)
    {
    write-host -fore green 'Searching for Subject: $Subject'
    $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select $LogParameters)
    }

Search mailbox audit log using PowerShell

Connect to Exchange online

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Run the audit log search script

If you execute the Run-MailboxAuditLogSearcher.ps1 PowerShell script without any options, it will prompt you for the mailbox, start date and end date. The audit log search results will be exported to a CSV file.

You can also run Run-MailboxAuditLogSearcher.ps1 and specify the date, time and email subject - see some examples below.

The date format is mm/dd/yyyy

Audit log search CSV results

Open the exported CSV file and filter by Operation "SoftDelete" to see the mailbox delegate who deleted the email messages.

Example: Search audit log by email subject

To search for a string, just enter part of the subject. You don't need to use a wildcard.

.\Run-MailboxAuditLogSearcher.ps1 -Subject "Test email" -Mailbox "sharedmailbox@yourdomain.com" -StartDate "11/15/2022" -EndDate "11/23/2022"

Example: Search audit log by date and time

To get the logs for today, you need to specify the end date as tomorrow.
The date format is mm/dd/yyyy and the time must be enclosed in quotes " "

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/16/2023 11:00 PM" -EndDate "03/17/2023 09:00 AM"

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/21/2023" -EndDate "03/22/2023"

Reference:

Mailbox audit logging in Exchange Server - Mailbox actions logged by mailbox audit logging
https://learn.microsoft.com/en-us/Exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
by Author

Tags:

Office 365 PowerShell

Comments

No comments made yet. Be the first to submit a comment

You can help support this website by buying me a coffee!

Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog

Get mailbox audit log search PowerShell script

Search mailbox audit log using PowerShell

Connect to Exchange online

Run the audit log search script

Audit log search CSV results

Example: Search audit log by email subject

Example: Search audit log by date and time

Related Posts

Download and share Teams live event recordings using Stream

Download Teams meeting recordings from Teams, OneDrive (SharePoint) and Stream

SOLVED: Office 365 - AD Synced user not showing in Exchange Hybrid on-premises

SOLVED: Remote Server returned '420 4.2.0 Recipient deferred because there is no Mdb'

Office 365 - Allow delegates to view private items in a shared mailbox using PowerShell

Comments