Search Mailbox Audit Logs in Office 365
There may be situations when end user(s) report missing emails from their mailbox. It may be possible that they have inadvertently deleted the emails, but want to know the cause.
If we have mailbox auditing enabled, we can find out the cause. The auditing should be enabled by default in Microsoft 365.
The first step is to track the emails and see, if there were emails delivered/Sent to/from user’s mailbox. We can use tracking logs for this.
To check the emails received –
Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020 -Status Delivered
To check the email received –
Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020
If we got the emails in result and these emails are not in user’s mailbox, then we need to investigate further.
Check if the mailbox Audit logs are enabled for user.
Get-Mailbox User@domain.com | ft PrimarySMTPAddress, AuditEnabled
Get the Mailbox Folder Statics to check if there are emails in Deleted items.
Get-MailboxFolderStatistics "User@domian.com" -FolderScope RecoverableItems -IncludeOldestAndNewestItems | Format-List Name,FolderAndSubfolderSize
If auditing is enabled, we can check the mailbox audit logs and find the delete cause.
Search the Audit Logs for the user:-
Search-MailboxAuditLog User@domain.com -ShowDetails -StartDate 12/10/2020 -EndDate 12/18/2020 -ResultSize 250000 | Export-Csv -Path C:\Temp\Mailbox_Audit_Logs.csv -Notype
Open the audit logs in excel and then filter the Operation column to filter for deleted events.
Here, we can see that the mailbox owner have deleted the emails from “Sent Items” folder.
We can also run the below script to find the Audit Logs –
In next article, we will learn how to restore deleted emails back to user’s mailbox.