Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog
How to use PowerShell Search-MailboxAuditLog to search the mailbox audit log and find out who moved or deleted emails in an Office 365 shared mailbox.
Get mailbox audit log search PowerShell script
Copy the PowerShell script for searching mailbox audit logs from Microsoft
Save the script to C:\Temp\Run-MailboxAuditLogSearcher.ps1
https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/audit-logs/mailbox-audit-logs
# Run-MailboxAuditLogSearcher.ps1 param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$Mailbox, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$StartDate, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$EndDate, [PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)] [string]$Subject, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$IncludeFolderBind, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$ReturnObject) BEGIN { [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult') } END { if ($ReturnObject) {return $SearchResults} elseif ($SearchResults.count -gt 0) { $Date = get-date -Format yyMMdd_HHmmss $OutFileName = "AuditLogResults$Date.csv" write-host write-host -fore green "Posting results to file: $OutfileName" $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8 } } PROCESS { write-host -fore green 'Searching Mailbox Audit Logs...' $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000) write-host -fore green '$($SearchREsults.Count) Total entries Found' if (-not $IncludeFolderBind) { write-host -fore green 'Removing FolderBind operations.' $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'}) write-host -fore green 'Filtered to $($SearchREsults.Count) Entries' } $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}}, @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}})) $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp') If ($Subject -ne '' -and $Subject -ne $null) { write-host -fore green 'Searching for Subject: $Subject' $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject}) write-host -fore green 'Filtered to $($SearchREsults.Count) Entries' } $SearchResults = @($SearchResults | select $LogParameters) }
Search mailbox audit log using PowerShell
Connect to Exchange online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Run the audit log search script
If you execute the Run-MailboxAuditLogSearcher.ps1 PowerShell script without any options, it will prompt you for the mailbox, start date and end date. The audit log search results will be exported to a CSV file.
You can also run Run-MailboxAuditLogSearcher.ps1 and specify the date, time and email subject - see some examples below.
Audit log search CSV results
Open the exported CSV file and filter by Operation "SoftDelete" to see the mailbox delegate who deleted the email messages.
Example: Search audit log by email subject
.\Run-MailboxAuditLogSearcher.ps1 -Subject "Test email" -Mailbox "sharedmailbox@yourdomain.com" -StartDate "11/15/2022" -EndDate "11/23/2022"
Example: Search audit log by date and time
To get the logs for today, you need to specify the end date as tomorrow.
The date format is mm/dd/yyyy and the time must be enclosed in quotes " "
.\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/16/2023 11:00 PM" -EndDate "03/17/2023 09:00 AM" .\Run-MailboxAuditLogSearcher.ps1 -Mailbox "sharedmailbox@yourdomain.com" -StartDate "03/21/2023" -EndDate "03/22/2023"
Reference:
by Author
Mailbox audit logging in Exchange Server - Mailbox actions logged by mailbox audit logging
https://learn.microsoft.com/en-us/Exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
Comments