Forum Discussion
Parker0105
Jul 19, 2024Copper Contributor
Issue with search mailbox audit log on Exchange Online
Hi Exchange experts
I have an issue with searching the audit logs with the mailboxes on Exchange Online.
I have a mailbox on Exchange Online. The properties of that mailbox are as follows
- AuditEnabled: True
- AuditLogAgeLimit : 90.00:00:00
- AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
- AuditDelegate : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
- AuditOwner : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
- DefaultAuditSet : {Admin, Delegate, Owner}
I have conduted the changes on this maibox such as: changed the Send as permission, changed the Send on behafl, delegated another user on this mailbox.
A few days later I used the Audit feature from security.microsoft.com portal to search the log for above activities with this maibox but I could not find any entries log that I did a few days ago.
The options that I made when searching for mailbox logs
- Date time range: selected the time period in which I made the change
- Activities - friendly names: selected all activities on Exchange maibox activities
- Activities - operation name: blank
- Record types: blank
- Search name: blank
- User: Selected user that has a mailbox I have changed.
Also, when I executed the syntax with Exchange PowerShell it doesn't show the change history that I want to see.
Search-MailboxAuditLog -Identity po.panda@mydomain -LogonTypes Admin, Delegate -StartDate 7/15/24 -EndDate 7/19/24 -ResultSize 5000
- If you have made those changes as an admin, you will have to search the Admin audit log, not the mailbox one. For example:
Search-AdminAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -Cmdlets Add-MailboxPermission
You can also use -ObjectId to designate the mailbox/recipient against who the cmdlets were executed, or -UserId for the user who run them,
- Add the -ShowDetails parameter if you want to review the entries via PowerShell. Also, try using "neutral" date format, such as "17 Jul 2024".
- Parker0105Copper ContributorThanks bro, I have tried but till have no logs for change permission on the mailbox activity
- If you have made those changes as an admin, you will have to search the Admin audit log, not the mailbox one. For example:
Search-AdminAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -Cmdlets Add-MailboxPermission
You can also use -ObjectId to designate the mailbox/recipient against who the cmdlets were executed, or -UserId for the user who run them,
- Please try command!
Search-UnifiedAuditLog -StartDate 7/15/2024 -EndDate 7/19/2024 -SessionCommand ReturnLargeSet- Parker0105Copper ContributorHi Tae
This command it will show all log of user in the my organization. What I need is to show the activity of a specific user, and the problem is that I am looking for the change permission on a mailbox activity for that user but there are no logs