Forum Discussion

Francisco_Caldito's avatar
Francisco_Caldito
Copper Contributor
Sep 04, 2024

Using Purview to audit a shared mailbox

Good morning,
 

I am trying to review the activity that has occurred in a shared mailbox over a specific period. From Exchange Online in PowerShell, I have managed to access data, but in Purview, I am not getting any results.

 

In Exchange Online, in PowerShell, I use the following commands to export the list of events to an Excel file:

 

$auditlogs = Search-MailboxAuditLog -Identity <shared mailbox> -StartDate "2024-09-02T15:00:00" -EndDate "2024-09-04T08:30:00" -ShowDetails
$auditLogs | Export-Csv -Path "C:\temp\auditLogs.csv" -NoTypeInformation -Encoding

 

 

I have entered Purview and tried several methods, but it always returns '0 results' in the queries. Is there something I need to enable? Any special permission or role required to use this service? What should I fill out in the 'Audit' interface of Purview to obtain the same records that I am getting in Exchange Online with the command shown above?

 

 

 Thank you very much πŸ™‚

 

 

  • kyazaferr's avatar
    kyazaferr
    Iron Contributor
    Permissions:

    Ensure you have the Audit Logs role in Microsoft Purview. This is part of the Compliance Administrator or Global Reader role, among others.
    You may need specific permissions like View-Only Audit Logs or Audit Logs to search and access audit logs within Purview.
    Audit Configuration:

    Audit Logging must be enabled in Microsoft Purview. This is usually enabled by default, but it’s worth double-checking. You can verify this in the Microsoft 365 compliance center under Audit > Audit log search.
    Purview Search Configuration:

    When using the Audit interface in Purview:
    Activities: Choose "Mailbox activities" to filter for mailbox-related actions.
    Users: Specify the shared mailbox in the search field.
    Date Range: Set the exact start and end dates to match those used in your PowerShell script.
    Results: If you're still not seeing results, ensure the time zone settings in Purview match those used in your PowerShell command to avoid discrepancies.
    Time Delay:

    Note that there can be a delay in when events are available in Purview. It might take some time for events to be indexed and searchable in Purview, especially if the actions were very recent.
    • Francisco_Caldito's avatar
      Francisco_Caldito
      Copper Contributor

      kyazaferr 

       

      Thanks for your prompt response. πŸ™‚
      I answer you point by point:

      Permissions:

      I have and admin role wich include the 'View-Only Audit Logs' and 'Audit Logs', so I can access the logs via ExchangeOnline. Do I have to assign myself roles just for Purview? I have added myself to 'Compilance Administrator'...

       

       

      Audit Logging Enabled:
      It is enabled, because:

       - Checked via Powershell:

      Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

      Returns 'true'

       

       - I have access to audit search form, so Audit Log must be enabled. 

      Using Audit interface:

       

      Followed yor instructions:

       - Selected ALL Exchange Activities using 'Friendly Names selector'

       - In users, I set the shared mailbox email

       - Set start and end date, GMT 0

       - Didn't fill any other field

       

       

      No results... πŸ˜ž

       

      Anything I'm doing wrong?

       

Resources