Admin AuditLogs

Roger Roger 5,046 Reputation points
2022-02-01T21:59:23.837+00:00

Hi All

One of our shared mailbox is deleted from exchange online. I want to know who deleted the shared mailbox. will the below syntax fetch me the information

Search-AdminAuditLog -Resultsize unlimited -ExternalAccess $false -StartDate 01/10/2022 -EndDate 01/15/2022 | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,299 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
0 comments No comments
{count} votes

Accepted answer
  1. Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor
    2022-02-02T01:37:39.493+00:00

    Hi @Roger Roger

    The following commands should both work for you:

    1) Search by cmdlet:

    Search-AdminAuditLog -cmdlets Remove-Mailbox -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation  
    

    2) Search by shared mailbox name:

    Search-AdminAuditLog -objectIDs <shared mailbox name here> -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation  
    

    Or you may add both parameters as filter:

    Search-AdminAuditLog -cmdlets Remove-Mailbox -objectIDs <shared mailbox name here> -StartDate 01/10/2022 -EndDate 01/15/2022 -IsSuccess $true | Export-Csv -Path C:\temp\logs.csv -NoTypeInformation  
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Vasil Michev 98,196 Reputation points MVP
    2022-02-02T09:07:41.623+00:00

    I'd suggest you also check for "Delete user." events, as the corresponding user object might have been deleted.

    Search-UnifiedAuditLog -StartDate "01 Feb 2022" -EndDate "02 Feb 2022" -Operations "Delete user."
    

    And, if you are using dirsync, make sure the change did not originate from on-premises, for example if the corresponding user object was excluded from the scope of dirsync, or deleted in AD.

    1 person found this answer helpful.
    0 comments No comments