This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Hi All
One of our shared mailbox is deleted from exchange online. I want to know who deleted the shared mailbox. will the below syntax fetch me the information
Search-AdminAuditLog -Resultsize unlimited -ExternalAccess $false -StartDate 01/10/2022 -EndDate 01/15/2022 | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Roger Roger
The following commands should both work for you:
1) Search by cmdlet:
Search-AdminAuditLog -cmdlets Remove-Mailbox -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation
2) Search by shared mailbox name:
Search-AdminAuditLog -objectIDs <shared mailbox name here> -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation
Or you may add both parameters as filter:
Search-AdminAuditLog -cmdlets Remove-Mailbox -objectIDs <shared mailbox name here> -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Roger Roger
I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.
I'd suggest you also check for "Delete user." events, as the corresponding user object might have been deleted.
Search-UnifiedAuditLog -StartDate "01 Feb 2022" -EndDate "02 Feb 2022" -Operations "Delete user."
And, if you are using dirsync, make sure the change did not originate from on-premises, for example if the corresponding user object was excluded from the scope of dirsync, or deleted in AD.