Forum Discussion
Using Purview to audit a shared mailbox
Good morning, I am trying to review the activity that has occurred in a shared mailbox over a specific period. From Exchange Online in PowerShell, I have managed to access data, but i...
Permissions:
Ensure you have the Audit Logs role in Microsoft Purview. This is part of the Compliance Administrator or Global Reader role, among others.
You may need specific permissions like View-Only Audit Logs or Audit Logs to search and access audit logs within Purview.
Audit Configuration:
Audit Logging must be enabled in Microsoft Purview. This is usually enabled by default, but it’s worth double-checking. You can verify this in the Microsoft 365 compliance center under Audit > Audit log search.
Purview Search Configuration:
When using the Audit interface in Purview:
Activities: Choose "Mailbox activities" to filter for mailbox-related actions.
Users: Specify the shared mailbox in the search field.
Date Range: Set the exact start and end dates to match those used in your PowerShell script.
Results: If you're still not seeing results, ensure the time zone settings in Purview match those used in your PowerShell command to avoid discrepancies.
Time Delay:
Note that there can be a delay in when events are available in Purview. It might take some time for events to be indexed and searchable in Purview, especially if the actions were very recent.
Ensure you have the Audit Logs role in Microsoft Purview. This is part of the Compliance Administrator or Global Reader role, among others.
You may need specific permissions like View-Only Audit Logs or Audit Logs to search and access audit logs within Purview.
Audit Configuration:
Audit Logging must be enabled in Microsoft Purview. This is usually enabled by default, but it’s worth double-checking. You can verify this in the Microsoft 365 compliance center under Audit > Audit log search.
Purview Search Configuration:
When using the Audit interface in Purview:
Activities: Choose "Mailbox activities" to filter for mailbox-related actions.
Users: Specify the shared mailbox in the search field.
Date Range: Set the exact start and end dates to match those used in your PowerShell script.
Results: If you're still not seeing results, ensure the time zone settings in Purview match those used in your PowerShell command to avoid discrepancies.
Time Delay:
Note that there can be a delay in when events are available in Purview. It might take some time for events to be indexed and searchable in Purview, especially if the actions were very recent.
Thanks for your prompt response. 🙂
I answer you point by point:Permissions:
I have and admin role wich include the 'View-Only Audit Logs' and 'Audit Logs', so I can access the logs via ExchangeOnline. Do I have to assign myself roles just for Purview? I have added myself to 'Compilance Administrator'...
Audit Logging Enabled:
It is enabled, because:- Checked via Powershell:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledReturns 'true'
- I have access to audit search form, so Audit Log must be enabled.
Using Audit interface:
Followed yor instructions:
- Selected ALL Exchange Activities using 'Friendly Names selector'
- In users, I set the shared mailbox email
- Set start and end date, GMT 0
- Didn't fill any other field
No results... 😞
Anything I'm doing wrong?
