Search-MailboxAuditLog

Glenn Maxwell 11,496 Reputation points
2024-10-22T05:53:20.8333333+00:00

Hi All,

One of my users, let's say user1@contoso.com, sent an email to two users, user2@contoso.com and user3@contoso.com. User2 and User3 claim that they read the email, moved it to a folder, and now are unable to find it. When I checked the message trace, I can see that User1 sent the email to User2 and User3 and that User1 attempted to recall it. However, the recall failed since User2 and User3 had already read the email.

How can I trace whether the email was deleted or moved to another folder by the users themselves or if any Exchange admin has deleted the email? Please guide me. I tried the following syntax but could not find much. Is the syntax correct?

$date=((get-date).AddDays(-7)).ToShortDateString()
$Today=(get-date).ToShortDateString()
Search-MailboxAuditLog user2@contoso.com -LogonTypes Admin,Owner,Delegate -ShowDetails -StartDate $date -EndDate $Today | Export-CSV C:\temp\output.csv –NoTypeInformation -Encoding UTF8
Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,569 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,662 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,132 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Xintao Qiao-MSFT 3,695 Reputation points Microsoft Vendor
    2024-10-22T07:50:49.49+00:00

    Hi, @Glenn Maxwell

    After my testing, your syntax has no obvious errors and you are able to successfully export the required entries.

    You'll need to enable audit logs for the mailboxes that need to be tracked.

    Set-Mailbox -Identity user@example.com -AuditEnabled $true

    Set-Mailbox (ExchangePowerShell) | Microsoft Learn

    You can specify the actions you want to audit (for example, Delete and so on).

    Search-MailboxAuditLog -Identity user@example.com -LogonTypes Owner -ShowDetails -StartDate 05/01/2024 -EndDate 10/22/2024 | Where-Object {$_.Operation -eq "MoveToDeleteItems"}

    You can also view admin logs. Search-UnifiedAuditLog (ExchangePowerShell) | Microsoft Learn

    You can still view and recover messages deleted by users in the EAC.

    User's image

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.