<link href="https://fonts.googleapis.com/css?family=Roboto:100,100italic,200,200italic,300,300italic,400,400italic,500,500italic,600,600italic,700,700italic,800,800italic,900,900italic&amp;display=swap" rel="stylesheet"/>
By using this website, you agree to the use of cookies as described in our Privacy Policy.
2 minutes reading time (488 words)

Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog

18634 Hits

How to use PowerShell Search-MailboxAuditLog to search the mailbox audit log and find out who moved or deleted emails in an Office 365 shared mailbox.

Get mailbox audit log search PowerShell script

Copy the PowerShell script for searching mailbox audit logs from Microsoft
Save the script to C:\Temp\Run-MailboxAuditLogSearcher.ps1

How to use mailbox audit logs in Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs
# Run-MailboxAuditLogSearcher.ps1
param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$Mailbox,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$StartDate,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$EndDate,
[PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)]
[string]$Subject,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$IncludeFolderBind,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$ReturnObject)
BEGIN {
  [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult')
  }
  END {
    if ($ReturnObject)
    {return $SearchResults}
    elseif ($SearchResults.count -gt 0)
    {
    $Date = get-date -Format yyMMdd_HHmmss
    $OutFileName = "AuditLogResults$Date.csv"
    write-host
    write-host -fore green "Posting results to file: $OutfileName"
    $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8
    }
    }
    PROCESS
    {
    write-host -fore green 'Searching Mailbox Audit Logs...'
    $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000)
    write-host -fore green '$($SearchREsults.Count) Total entries Found'
    if (-not $IncludeFolderBind)
    {
    write-host -fore green 'Removing FolderBind operations.'
    $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}},
    @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}}))
    $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp')
    If ($Subject -ne '' -and $Subject -ne $null)
    {
    write-host -fore green 'Searching for Subject: $Subject'
    $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select $LogParameters)
    }

Search mailbox audit log using PowerShell

Connect to Exchange online

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Run the audit log search script

If you execute the Run-MailboxAuditLogSearcher.ps1 PowerShell script without any options, it will prompt you for the mailbox, start date and end date. The audit log search results will be exported to a CSV file.

You can also run Run-MailboxAuditLogSearcher.ps1 and specify the date, time and email subject - see some examples below.

Audit log search CSV results

Open the exported CSV file and filter by Operation "SoftDelete" to see the mailbox delegate who deleted the email messages.

Example: Search audit log by email subject

.\Run-MailboxAuditLogSearcher.ps1 -Subject "Test email" -Mailbox "sharedmailbox@yourdomain.com" -StartDate "11/15/2022" -EndDate "11/23/2022"

Example: Search audit log by date and time

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/16/2023 11:00 PM" -EndDate "03/17/2023 09:00 AM"

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/21/2023" -EndDate "03/22/2023"

Reference:

Mailbox audit logging in Exchange Server - Mailbox actions logged by mailbox audit logging
https://learn.microsoft.com/en-us/Exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging

3
Tags:
Office 365 PowerShell

Related Posts

 

Comments 2

Guest - Avadhoot Dalavi on Thursday, 05 February 2026 07:52

Please note that as of January 2026, cmdlet Search-MailboxAuditLog has been fully deprecated. So this article is now deprecated.

0 Cancel Reply
Please note that as of January 2026, cmdlet Search-MailboxAuditLog has been fully deprecated. So this article is now deprecated.
Cancel Update Comment
Guest - DGS on Tuesday, 17 March 2026 14:06

We're struggling to get it working with the new cmdlets.
Any tips on logging on moved items?

0 Cancel Reply
We're struggling to get it working with the new cmdlets. Any tips on logging on moved items?
Cancel Update Comment
Already Registered? Login Here
Thursday, 11 June 2026
You can help support this website by buying me a coffee!
Buy Me A Coffee