Forum Discussion
Using Purview to audit a shared mailbox
I am trying to review the activity that has occurred in a shared mailbox over a specific period. From Exchange Online in PowerShell, I have managed to access data, but in Purview, I am not getting any results.
In Exchange Online, in PowerShell, I use the following commands to export the list of events to an Excel file:
$auditlogs = Search-MailboxAuditLog -Identity <shared mailbox> -StartDate "2024-09-02T15:00:00" -EndDate "2024-09-04T08:30:00" -ShowDetails
$auditLogs | Export-Csv -Path "C:\temp\auditLogs.csv" -NoTypeInformation -Encoding
I have entered Purview and tried several methods, but it always returns '0 results' in the queries. Is there something I need to enable? Any special permission or role required to use this service? What should I fill out in the 'Audit' interface of Purview to obtain the same records that I am getting in Exchange Online with the command shown above?
Thank you very much π
- kyazaferrIron ContributorPermissions:
Ensure you have the Audit Logs role in Microsoft Purview. This is part of the Compliance Administrator or Global Reader role, among others.
You may need specific permissions like View-Only Audit Logs or Audit Logs to search and access audit logs within Purview.
Audit Configuration:
Audit Logging must be enabled in Microsoft Purview. This is usually enabled by default, but itβs worth double-checking. You can verify this in the Microsoft 365 compliance center under Audit > Audit log search.
Purview Search Configuration:
When using the Audit interface in Purview:
Activities: Choose "Mailbox activities" to filter for mailbox-related actions.
Users: Specify the shared mailbox in the search field.
Date Range: Set the exact start and end dates to match those used in your PowerShell script.
Results: If you're still not seeing results, ensure the time zone settings in Purview match those used in your PowerShell command to avoid discrepancies.
Time Delay:
Note that there can be a delay in when events are available in Purview. It might take some time for events to be indexed and searchable in Purview, especially if the actions were very recent.- Francisco_CalditoCopper Contributor
Thanks for your prompt response. π
I answer you point by point:Permissions:
I have and admin role wich include the 'View-Only Audit Logs' and 'Audit Logs', so I can access the logs via ExchangeOnline. Do I have to assign myself roles just for Purview? I have added myself to 'Compilance Administrator'...
Audit Logging Enabled:
It is enabled, because:- Checked via Powershell:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
Returns 'true'
- I have access to audit search form, so Audit Log must be enabled.
Using Audit interface:
Followed yor instructions:
- Selected ALL Exchange Activities using 'Friendly Names selector'
- In users, I set the shared mailbox email
- Set start and end date, GMT 0
- Didn't fill any other field
No results... π
Anything I'm doing wrong?