2 minutes reading time (488 words)

Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog

How to use PowerShell Search-MailboxAuditLog to search the mailbox audit log and find out who moved or deleted emails in an Office 365 shared mailbox.

Get mailbox audit log search PowerShell script

Copy the PowerShell script for searching mailbox audit logs from Microsoft
Save the script to C:\Temp\Run-MailboxAuditLogSearcher.ps1

How to use mailbox audit logs in Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs
# Run-MailboxAuditLogSearcher.ps1
param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$Mailbox,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$StartDate,
[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]
[string]$EndDate,
[PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)]
[string]$Subject,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$IncludeFolderBind,
[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]
[switch]$ReturnObject)
BEGIN {
  [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult')
  }
  END {
    if ($ReturnObject)
    {return $SearchResults}
    elseif ($SearchResults.count -gt 0)
    {
    $Date = get-date -Format yyMMdd_HHmmss
    $OutFileName = "AuditLogResults$Date.csv"
    write-host
    write-host -fore green "Posting results to file: $OutfileName"
    $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8
    }
    }
    PROCESS
    {
    write-host -fore green 'Searching Mailbox Audit Logs...'
    $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000)
    write-host -fore green '$($SearchREsults.Count) Total entries Found'
    if (-not $IncludeFolderBind)
    {
    write-host -fore green 'Removing FolderBind operations.'
    $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}},
    @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}}))
    $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp')
    If ($Subject -ne '' -and $Subject -ne $null)
    {
    write-host -fore green 'Searching for Subject: $Subject'
    $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject})
    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'
    }
    $SearchResults = @($SearchResults | select $LogParameters)
    }
     

Search mailbox audit log using PowerShell

Connect to Exchange online

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com 

Run the audit log search script

If you execute the Run-MailboxAuditLogSearcher.ps1 PowerShell script without any options, it will prompt you for the mailbox, start date and end date. The audit log search results will be exported to a CSV file.

You can also run Run-MailboxAuditLogSearcher.ps1 and specify the date, time and email subject - see some examples below.

Audit log search CSV results

Open the exported CSV file and filter by Operation "SoftDelete" to see the mailbox delegate who deleted the email messages.

Example: Search audit log by email subject

.\Run-MailboxAuditLogSearcher.ps1 -Subject "Test email" -Mailbox "sharedmailbox@yourdomain.com" -StartDate "11/15/2022" -EndDate "11/23/2022"
 

Example: Search audit log by date and time

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/16/2023 11:00 PM" -EndDate "03/17/2023 09:00 AM"

.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/21/2023" -EndDate "03/22/2023" 

Reference:

Mailbox audit logging in Exchange Server - Mailbox actions logged by mailbox audit logging
https://learn.microsoft.com/en-us/Exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, 01 June 2023
You can help support this website by buying me a coffee!
Buy Me A Coffee