Forum Discussion

Parker0105's avatar
Parker0105
Copper Contributor
Jul 19, 2024

Issue with search mailbox audit log on Exchange Online

Hi Exchange experts

I have an issue with searching the audit logs with the mailboxes on Exchange Online.

I have a mailbox on Exchange Online. The properties of that mailbox are as follows

  • AuditEnabled: True
  • AuditLogAgeLimit : 90.00:00:00
  • AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
  • AuditDelegate : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
  • AuditOwner : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
  • DefaultAuditSet : {Admin, Delegate, Owner}

I have conduted the changes on this maibox such as: changed the Send as permission, changed the Send on behafl, delegated another user on this mailbox.  

A few days later I used the Audit feature from security.microsoft.com portal to search the log for above activities with this maibox but I could not find any entries log that I did a few days ago.

The options that I made when searching for mailbox logs

  • Date time range: selected the time period in which I made the change
  • Activities - friendly names: selected all activities on Exchange maibox activities 
  • Activities - operation name: blank
  • Record types: blank
  • Search name: blank
  • User: Selected user that has a mailbox I have changed.

Also, when I executed the syntax with Exchange PowerShell it doesn't show the change history that I want to see.

Search-MailboxAuditLog -Identity po.panda@mydomain -LogonTypes Admin, Delegate -StartDate 7/15/24 -EndDate 7/19/24 -ResultSize 5000

 

 

  • If you have made those changes as an admin, you will have to search the Admin audit log, not the mailbox one. For example:

    Search-AdminAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -Cmdlets Add-MailboxPermission

    You can also use -ObjectId to designate the mailbox/recipient against who the cmdlets were executed, or -UserId for the user who run them,
  • Add the -ShowDetails parameter if you want to review the entries via PowerShell. Also, try using "neutral" date format, such as "17 Jul 2024".
    • Parker0105's avatar
      Parker0105
      Copper Contributor
      Thanks bro, I have tried but till have no logs for change permission on the mailbox activity
      • VasilMichev's avatar
        VasilMichev
        MVP
        If you have made those changes as an admin, you will have to search the Admin audit log, not the mailbox one. For example:

        Search-AdminAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -Cmdlets Add-MailboxPermission

        You can also use -ObjectId to designate the mailbox/recipient against who the cmdlets were executed, or -UserId for the user who run them,
  • Please try command!
    Search-UnifiedAuditLog -StartDate 7/15/2024 -EndDate 7/19/2024 -SessionCommand ReturnLargeSet
    • Parker0105's avatar
      Parker0105
      Copper Contributor
      Hi Tae
      This command it will show all log of user in the my organization. What I need is to show the activity of a specific user, and the problem is that I am looking for the change permission on a mailbox activity for that user but there are no logs

Resources