auditing for shared mailbox

Question

auditing for shared mailbox

Surya kumar 390

Hi,

I am having a situation where my deleted items folder was empty. However, after one particular day I could see hundreds of emails in my deleted items folder. There are no inbox rules set. And retention policy settings are move to archive or move to purges folder of recover deleted items. None of shared mailbox members have deleted the email items.

is there any way to figure out how this emails were came into deleted items folder?

I checked the following article, however I am not able to find answer. Please help me if there any different ways.

https://learn.microsoft.com/en-us/powershell/module/exchange/search-mailboxauditlog?view=exchange-ps

if I use the above PowerShell commands, then how inbox rules or sweep rules will be identified in the log? I mean how they are been identified because that was a automatic process, right?

and another try was audit > compliance portal.

Could you please let me know how to find this??

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Yuki Sun-MSFT 41,451 Moderator

Hi @Surya kumar ,

if I use the above PowerShell commands, then how inbox rules or sweep rules will be identified in the log? I mean how they are been identified because that was a automatic process, right?

As far as I know, I am afraid it's not feasible to tell if the item was deleted by inbox rules or sweep rules directly using the logs.
Given this, I'd recommend searching the audit log using the operation "MoveToDeletedItems" and see if more clues like logon user name could be found for further analysis:


Search-MailboxAuditLog -Identity user1 -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 4/26/2023 -EndDate 4/28/2023 | Where-Object {$_.Operation -eq "MoveToDeletedItems"} | FL Operation, LogonType, LogonUserDisplayName, SourceItemSubjectsList, ClientProcessName

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-04-27T08:34:26.53+00:00

Actually, by default if a mail is deleted by a delegate from Outlook, the message will end up in the delegate's Deleted Items folder instead. So personally, I don't think it's an issue with any of your delegates. See Items that are deleted from a shared mailbox go to the wrong folder in Outlook.
Surya kumar 390 Reputation points

2023-04-27T10:53:01.97+00:00

@Yuki Sun-MSFT Then how to trace this? I want to know how these items came into deleted items folder.

Please help me with some possible solutions.
Surya kumar 390 Reputation points

2023-04-28T20:10:14.8433333+00:00

@Yuki Sun-MSFT Can we have an update on this for doing trace?
Surya kumar 390 Reputation points

2023-04-28T20:13:02.27+00:00

@Yuki Sun-MSFT Can we have an update on this?
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-01T01:01:34.7866667+00:00

Hi @Surya kumar ,

Have you had a chance to run the Search-MailboxAuditLog cmdlet as aforementioned? This can help narrow down if we still need to troubleshoot from the delegates' side.

You can also have a look at the Audit via Compliance portal, searching for "Moved messages to Deleted Items folder" against your mailbox and see if any clues can be found:
Surya kumar 390 Reputation points

2023-05-02T01:23:07.3666667+00:00

@Yuki Sun-MSFT ,

When I tried with PowerShell command, I got some results. However, that's is not helping me much.

When it comes to audit in compliance portal, no results were produced when I plugged-in shared mailbox account. However I am getting results for user accounts.

Can you test this from your end by auditing a shared mailbox? And moreover for logging an event, it may takes 12-24 hrs. Its not happening instantly. Is there any way to change this behavior so that it will be pretty much helpful while testing.
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-02T06:28:28.2266667+00:00

Hi @Surya kumar ,

no results were produced when I plugged-in shared mailbox account. However I am getting results for user accounts.

Just to clarify, initially I thought it's your own mailbox that is shared with some other users, but from the description in your last reply, is there an actual shared mailbox involved? Similar like below:
Let's say User1 is your own mailbox, and there's a shared mailbox Shared1 that you have access to, isn't it?

If so, do you mean the Deleted Items folder of your own mailbox is filled up with mails that were originally in the shared mailbox?

When it comes to auditing the shared mailbox, according to this document, in theory, the action "MovetoDeletedItems" is audited by default for shared mailboxes. I am testing in my lab tenant but it needs some time for the results to show up in the audit logs, will post back later when I get any update.

Regarding your concern about the time it takes for the record to be available, seems like currently there's no option available to make it show up sooner. But based on my experience and this link, in most cases it only takes one or two hours for the record to be searchable in Audit logs.
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-02T07:40:32.6233333+00:00

Hi @Surya kumar ,

Just wanted to give you an update about the test results of auditing shared mailbox from my end.

As you can see in the image I posted earlier, User1 has full access permission to Shared1. Now User1 deleted a message from Shared1's Inbox.

I tried searching against the shared mailbox in Audit in Compliance portal and got no results either, even if I leave the activities section blanks. A quick search online led me to this thread, and according to the discussion there, seems like it could be the limitation of unified audit logs.

Then I tried using the Search-MailboxAuditLog cmdlet as aforementioned, it appears to me that in this scenario, we need to search for the "SoftDelete" action instead due to the by-design behavior mentioned in this article.
Surya kumar 390 Reputation points

2023-05-03T01:21:37.53+00:00

Hi @Yuki Sun-MSFT

Thanks for the update. As per your last reply, then what's the difference between MoveToDeletedItems and Softdelete ?
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-03T05:47:59.2233333+00:00

Hi @Surya kumar ,

MoveToDeletedItems means "A message was deleted and moved to the Deleted Items folder";

Softdelete means "A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder."

The reason why we need to search for Softdelete against the shared mailbox is because when User1 deletes items from Shared1's Inbox, a copy of the deleted item would go to User1's Deleted Items folder instead of the Deleted Items folder of the mailbox of Shared1. While for Shared1, the deleted item actually ends up in the Recoverable Items folder which means the operation "SoftDelete" has been performed on this item.
Surya kumar 390 Reputation points

2023-05-03T06:45:14.6566667+00:00

@Yuki Sun-MSFT Thanks for helping again. Is this the same behavior in OWA too?
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-04T05:49:27.3066667+00:00

Hi @Surya kumar ,

Yes. I tested in OWA and per my observation, the behavior is the same in OWA too.
Surya kumar 390 Reputation points

2023-05-05T00:38:20.0366667+00:00

@Yuki Sun-MSFT

I tried doing this in web. However, right after deleting an email item from inbox of shared, i cannot see a copy storing in the recover deleted items folder of shared mailbox . Is there any settings do i need to change?
Yuki Sun-MSFT 41,451 Reputation points Moderator

2023-05-05T07:19:16.9133333+00:00

Hi @Surya kumar ,

Thanks for bringing this out. I tested several more times in OWA and realized that I may have gotten an incorrect conclusion about the behavior in OWA in my reply earlier, perhaps because of some duplicated emails in my test mailboxes. My apologies.

Based on more tests, below are what I saw in OWA:

1.When User1 deletes an email from the Inbox of Shared1, a copy of the deleted item goes to the Deleted Items folder of User1, this is exactly the same as what we see in Outlook desktop clients:

2.For Shared1, rather than Softdelete like in Outlook app, it's HardDeleted so we cannot see it in Shared1's recover deleted items folder.
Run the following cmdlet against Shared1, the log below can be found:
Search-MailboxAuditLog -Identity SHARED1 -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 5/5/2023 -EndDate 5/6/2023 | Where-Object {$_.Operation -eq "HardDelete"} | FL Operation, LogonType, LogonUserDisplayName, SourceItemSubjectsList, ClientProcessName

I checked it using the MFCMAPI tool and can also find the deleted item in Purges folder of Shared1, which means this item was hard deleted:
Surya kumar 390 Reputation points

2023-05-05T16:16:09.0033333+00:00

@Yuki Sun-MSFT ,Thank you very much for the detailed explanation

Share via

auditing for shared mailbox

0 additional answers

Your answer