Auditing Deletions
Updated: March 2021
Ever since Microsoft introduced the current mailbox auditing mechanism in Exchange 2010 (an earlier version in Exchange 2007 took a different approach), it has been used to answer the question of “who deleted that message,” an issue that usually crops up when a delegate removes items from someone else’s mailbox or a shared mailbox and won’t admit their action.
Ingestion and Normalization
Microsoft enables mailbox auditing for all Exchange Online mailboxes for accounts with Office 365 E3 and E5 licenses. Audit records are not generated for accounts with other licenses. The audit records flow through a normalization process before the records are ingested into the Office 365 audit log. Normalization makes sure that the Exchange records have the same format as records from other workloads.
Searching for Email Deletions
You can look for delete operations through the audit log search in the Compliance Center, but it’s usually more convenient (and faster) to use PowerShell and run the Search-UnifiedAuditLog cmdlet.
Here’s an example that searches for hard and soft delete operations and extracts information from the JSON payload which holds the details of the action performed. In this case, we want to find who deleted a message. The results are piped to the Out-GridView cmdlet to view on screen.
$StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date)
[array]$Records = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "HardDelete", "SoftDelete" -ResultSize 5000)
If (!($Records)) { Write-Host "No deletion records found."; break }
Else {
Write-Host "Processing" $Records.Count "audit records..."
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
ForEach ($Rec in $Records) {
$AuditData = ConvertFrom-Json $Rec.Auditdata
If ($AuditData.ResultStatus -eq "PartiallySucceeded") {
$EMailSubjects = "*** Not deleted by" + $AuditData.ClientInfoString + " ***" }
Else {
$EmailSubjects = $AuditData.AffectedItems.Subject -join ", " }
$ReportLine = [PSCustomObject] @{
TimeStamp = Get-Date($AuditData.CreationTime) -format g
User = $AuditData.UserId
Action = $AuditData.Operation
Status = $AuditData.ResultStatus
Mailbox = $AuditData.MailboxOwnerUPN
"Message Subjects" = $EmailSubjects
Folder = $AuditData.Folder.Path.Split("\")[1]
Client = $AuditData.ClientInfoString }
$Report.Add($ReportLine) }
}
$Report | Sort Mailbox | Select Timestamp, Action, User, Mailbox, "Message Subjects", Folder | Out-GridView
The formatted records are placed in the $Report list. You can slice and dice the records to meet your needs, or export the data to a CSV file and then format it with Excel or Power BI. For example:
$Report | Export-CSV -NoTypeInformation -Path c:\temp\ExchangeMailboxDeletes.csv
If you need to extract the records for a particular user or shared mailbox, apply a filter to the $Report list. For instance, to find just the records for a shared mailbox with a specific primary SMTP address, use a command like this to find the records for a target mailbox and pipe them to the Out-GridView cmdlet.
$Report | ?{$_.Mailbox -eq "BookBuild@office365itpros.com"} | Out-GridView
Figure 1 shows the result.
Another variant on the theme is posted in this article. The script used here is available in the Office 365 for IT Pros GitHub repository.
For more information about the Office 365 audit log and how to configure Exchange mailbox auditing, read Chapter 21 of Office 365 for IT Pros. If you want to read more about reporting from the mailbox audit log rather than the Office 365 audit log, it’s in Chapter 3 of the companion volume.