Forum Discussion
Audit booking changes
Have users reporting long-standing discrepancies on room bookings - stuff being cancelled months ago, but not showing anywhere. I remember in the past, being able to audit this. Unfortunately, we now have Purview - a tool we didn't ask for, don't want, but allegedly are forced to use.
These are Resources in 365, they have Exchange Mailboxes. Exchange has a tool to search for changes, but demands the subject line. The booking has been removed by the users - and I have no idea if this wants the original 'Booking' or the 'Re: Booking' or the 'FW: booking' or which of the 120 emails were generated. So I'm looking for alternative ways.
I believe in the past, I did this via Defender. There WERE activities for Mailbox changes within this audit tool. They appear to be gone - or searching for Mailbox just removes all activities labeled 'Mailbox', I'm not sure. CoPilot gives me an evolving series of deprecated/possibly non-existent cmdlets for powershell, so that's fun.
please do not refer me to another terrible marketing 'article'.. I have read so many, learned absolutely nothing useful, and I'm over it.
Thank you
3 Replies
Would suggest:
1. Use Microsoft Purview Audit Log with Specific Operations
- Purview Audit logs user and admin activities across Microsoft 365, including Exchange Online resource mailbox operations.
- Search for calendar-related operations such as "Update calendar event", "Delete calendar event", or "Remove calendar event" in the audit log.
- Use PowerShell or the Purview portal to filter by these operations rather than subject lines.
2. Search by Calendar Event ID or Organizer
- If you can obtain the calendar event ID or organizer's email, use these as filters in audit log searches.
- This avoids ambiguity caused by multiple email threads with varying subject prefixes (Re:, FW:).
- You may extract event IDs from user calendars or resource mailbox calendar logs.
3. Use Exchange Online PowerShell Cmdlets for Calendar Auditing
- Cmdlets like Search-UnifiedAuditLog with parameters filtering on calendar or mailbox activities can help.
- Example: Search for CalendarEvent related audit records with date ranges and user/resource mailbox filters.
4. Enable and Use Mailbox Audit Logging for Resource Mailboxes
- Ensure mailbox audit logging is enabled on resource mailboxes.
- This logs actions like calendar event creation, modification, and deletion.
- Use Get-MailboxAuditLog or audit log search to retrieve these actions.
5. Use Microsoft Defender Portal Audit Log Search as a Backup
- Defender portal audit log search is identical to Purview’s but sometimes offers a more user-friendly interface.
- It supports searching user/admin mailbox activities and might provide better filtering options.
- Requires appropriate permissions (Organization Management or Compliance Management role).
6. Consider Third-Party or Custom Tools
- If native tools are insufficient, consider third-party Microsoft 365 auditing tools that specialize in calendar and resource mailbox activities.
follow-up to this
1. those operation names don't return anything, and I can't find any operation names that do - at least not relating to calendar/booking. What I CAN find is normal Exchange items (create item, for example) for these bookings - if i look at the delegates. The problem is, there's several hundred items for each room, for each day. Try to sort through this to find 2 bookings, on 2 rooms, over hundreds of entries for 9 rooms... it's not an option. Moreover, these don't say what was done - just what folder stuff went to, and the IMID. Searching for the room resource as the user does nothing.
2. Mailbox Audit Logging is enabled. Get-MailboxAuditLog is not a cmdlet, atleast not in EOM.. Get-CalendarDiagnosticLog returns that it's deprecated, with a link to 'https://aka.ms/tmrn' about something completely unrelated.... so,, how do i search this audit log I've enabled?Thank you for this - this is really helpful.
