Use the Office 365 Audit Log to Find Out Who Deleted Messages

Auditing Deletions

Ever since Microsoft introduced the current mailbox auditing mechanism in Exchange 2010 (an earlier version in Exchange 2007 took a different approach), it has been used to answer the question of “who deleted that message,” an issue that usually crops up when a delegate removes items from someone else’s mailbox or a shared mailbox and won’t admit their action.

Ingestion and Normalization

Microsoft recently decided to enable mailbox auditing throughout Exchange Online. The resulting audit records flow through a normalization process before the records are ingested into the Office 365 audit log. Normalization makes sure that the Exchange records have the same format as records from other workloads.

Searching for Deletions

You can look for delete operations through the audit log search in the Security and Compliance Center, but it’s usually more convenient (and faster) to use PowerShell and run the Search-UnifiedAuditLog cmdlet.

Here’s an example that searches for hard and soft delete operations and extracts information from the JSON payload that holds a lot of audit details.

$Records = (Search-UnifiedAuditLog -StartDate 20-Jul-2018 -EndDate 20-Sep-2018 -Operations "HardDelete", "SoftDelete" -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No hard delete records found." }
Else {
    Write-Host "Processing" $Records.Count "audit records..."
$Report = @()
ForEach ($Rec in $Records) {
  $AuditData = ConvertFrom-Json $Rec.Auditdata
  $ReportLine = [PSCustomObject][Ordered]@{
    TimeStamp = $AuditData.CreationTime
    User = $AuditData.UserId
    Action = $AuditData.Operation
    Status = $AuditData.ResultStatus
    Mailbox = $AuditData.MailboxOwnerUPN
    Items = $AuditData.AffectedItems.Subject
    Folder = $AuditData.Folder.Path.Split("\")[1]
    Client = $AuditData.ClientInfoString }
  $Report += $ReportLine
$Report | Select Timestamp, Action, User, Mailbox

The formatted records are placed in the $Report variable. You can slice and dice the records to meet your needs, or export the data to a CSV file and then format it with Excel or Power BI. For example:

$Report | Export-CSV -NoTypeInformation -Path c:\temp\ExchangeMailboxDeletes.csv

Hopefully, the information you find in the audit log will help you answer the question.

For more information about the Office 365 audit log and how to configure Exchange mailbox auditing, read Chapter 21 of Office 365 for IT Pros. If you want to read more about reporting from the mailbox audit log rather than the Office 365 audit log, it’s in Chapter 3 of the companion volume.

3 Replies to “Use the Office 365 Audit Log to Find Out Who Deleted Messages”

  1. Hi. This really doesn’t doesn’t indicate who deleted a specific message. It only shows people deleting messages and their subjects. If there are multiple emails with the same subject, how would one determine who deleted that ?

    Example. Target mailbox is a shared mailbox that many users have access to. Litigation Hold is enabled. A user complains that an email they require can no longer be found. This email is a job application and the subject is just the job application number, therefore the mailbox has many items with the same subject. The user supplies the sender of the item.
    A Content Search is performed and the item is found in the Recoverable Items folder. The Content Search Report is saved.
    Your process is performed and shows multiple users deleting items with the required subject. The audit log does not state who the sender of the item was.

    Where/what is the correlation between the audit log and an item found in the mailbox/content search report ?


    1. In your situation, because the audit records don’t include the sender name, you might grab the InternetMessageId and use that to compare against the results of the content search to find the message deleted by an individual. I’ll ask the Exchange team if they can include the sender name in the properties reported in audit events for deleted messages.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.