How to use mailbox audit logs in Office 365

Summary

In Microsoft Office 365, you can run mailbox audit logs to determine when a mailbox was updated unexpectedly or whether items are missing from a mailbox. You may have to do this, for example, if items are moved or if they're deleted unexpectedly or incorrectly.

For the vNext environment, please note that mailbox audit logs are not enabled by default and need to be turned on for a user before beginning a search

How to run and check mailbox audit logs

Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators. Mailbox audit logging is available to members of the Audit Reporting Mailbox self-service group only by using Windows Remote PowerShell.

Step 1: Run the script

To run the script, follow these steps:

1. Start Notepad, and then copy the following code into the file. The code uses the search-mailboxAuditLog command that is part of Microsoft Exchange Server.

Copy Below: 

param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]

[string]$Mailbox,

[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]

[string]$StartDate,

[PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)]

[string]$EndDate,

[PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)]

[string]$Subject,

[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]

[switch]$IncludeFolderBind,

[PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)]

[switch]$ReturnObject)

BEGIN {

  [string[]]$LogParameters = @('Operation', 'LogonUserDisplayName', 'LastAccessed', 'DestFolderPathName', 'FolderPathName', 'ClientInfoString', 'ClientIPAddress', 'ClientMachineName', 'ClientProcessName', 'ClientVersion', 'LogonType', 'MailboxResolvedOwnerName', 'OperationResult')

  }

  END {

    if ($ReturnObject)

    {return $SearchResults}

    elseif ($SearchResults.count -gt 0)

    {

    $Date = get-date -Format yyMMdd_HHmmss

    $OutFileName = "AuditLogResults$Date.csv"

    write-host

    write-host -fore green "Posting results to file: $OutfileName"

    $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8

    }

    }

    PROCESS

    {

    write-host -fore green 'Searching Mailbox Audit Logs...'

    $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000)

    write-host -fore green '$($SearchREsults.Count) Total entries Found'

    if (-not $IncludeFolderBind)

    {

    write-host -fore green 'Removing FolderBind operations.'

    $SearchResults = @($SearchResults | ? {$_.Operation -notlike 'FolderBind'})

    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'

    }

    $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(' ')}}},

    @{Name='CrossMailboxOp';e={if (@('SendAs','Create','Update') -contains $_.Operation) {'N/A'} else {$_.CrossMailboxOperation}}}))

    $LogParameters = @('Subject') + $LogParameters + @('CrossMailboxOp')

    If ($Subject -ne '' -and $Subject -ne $null)

    {

    write-host -fore green 'Searching for Subject: $Subject'

    $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject})

    write-host -fore green 'Filtered to $($SearchREsults.Count) Entries'

    }

    $SearchResults = @($SearchResults | select $LogParameters)

    }

1. On the File menu, click Save As.

2. In the Save as type box, click All File.

3. In the File name box, type Run-MailboxAuditLogSearcher.ps1, and then click Save.

4. Start Windows PowerShell, and then connect to Windows Remote PowerShell.

5. Locate the directory in which you saved the script, and then run the script.

 Note

• If you run the script without parameters, you will be prompted for the following default parameters:
  • Mailbox
  • StartDate
  • EndDate
• To search for entries from the current day, add one day to the end-date value in the prompt window. For example, if the current date is 3/14/2017, and you want to include the current day in your search, enter 4/15/2017  as the end date.