Forum Discussion
Find Audit logs of a mailbox
- Exchange admin operations are also covered by the Unified audit log, so you probably need to expand your filters. The entries are stored as the actual cmdlet being run, which in this case should be Set-Mailbox.
You can run a more targeted search via PowerShell:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -ResultSize 5 -FreeText "Type" -RecordType 1 -Operations Set-Mailbox
Hi @Andres,
Thanks for your response. I have been through the mentioned documentation and tried running the powershell command "Search-AdminAuditLog -Cmdlets Set-Mailbox -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1)" and it returned all the exchange admin activities over the last 90 days. However, we were able to recognise few of the entries as planned activities but there are many entires similar to the mentioned below. We did notice that object modified is returning object-ids inside {} of objectmodified field of the output and cross verified it with the object-ids of the users which are in question but they do not match for any of them.
ObjectModified : NAMPR19A003.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/xx.onmicrosoft.com/SystemMailbox{object-id}
CmdletName : Set-Mailbox
CmdletParameters : {RecoverableItemsQuota, Force, Arbitration, ProhibitSendQuota...}
ModifiedProperties : {} (empty in the output itself)
Caller : ********
ExternalAccess : True
Succeeded : True
Error :
RunDate : 06-09-2023 09:08:37
OriginatingServer :
ClientIP :
SessionId :
AppId :
ClientAppId :
Identity :
IsValid : True
ObjectState : New
Also why is outlook making changes and why do some results have "*******" (actual entries and not censored for privacy) and "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" in the "caller" field?
Thanks,
Charlie933
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false
If you are looking for the changes made against specific mailbox, also add the -ObjectIds parameter:
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false -ObjectIds shared2020
- VasilMichev below commands returns empty for both UPN and azure objectid.
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 10 -ExternalAccess:$false -ObjectIds abs@domain
I have Exchange and Group Administrator roles assigned. Does -objectids flag require any additional permissions? because the command seems to be working without -objectids flag but still we do not get the logs of mailboxes we are looking for.
Thanks,
Charlie933- No, no additional permissions. Are you perhaps using Hybrid? If the change was made on-premises, it will not show up in the Exchange Online logs.
The other possibility is that it was done over 90 days ago - this is the longest you can search via this method. Using the Unified audit log search above should cover 180 days minimum.- VasilMichev, powershell command mentioned in your first response worked. My mistake was i modified the command to display results of last 90 days since we have only M365 Business Premium licenses. Apparently the changes we were looking for were made 5 months ago and no wonder these didn't turn up with search-adminauditlog cmdlet.
Thanks a lot for your help and time 🙂
Regards,
Charlie933