Forum Discussion

Jacob Airov's avatar
Jacob Airov
Copper Contributor
Feb 02, 2018

Auditing an O365 shared mailbox

I have turned on auditing on an Office 365 shared mailbox, but when I do a search at the audit logs I get zero results. I've expanded from the standard auditing and added the parameters "harddelete...
Auditing
office 365
Shared mailbox
VasilMichev's avatar
VasilMichev
MVP
Feb 02, 2018

It depends on the action performed. What method are you using to check the logs, if PowerShell, share the exact cmdlets just to double-check.

  • Jacob Airov's avatar
    Jacob Airov
    Copper Contributor
    Feb 02, 2018

    I started with-

    set-mailbox -identity "name" -auditenabled $true

    then i specified actions with-

    set-mailbox "name" -auditdelegate @{add="softdelete", "harddelete"}

    After i checked with-

    get-mailbox "name" | FL Audit*
      • Rob Wilcox's avatar
        Rob Wilcox
        Copper Contributor
        Feb 07, 2018

        I have also tested this a little bit in a lab environment.

         

        If I drag and drop items from my normal mailbox to a shared mailbox, then I see 'create' events:

         

        RecordType   : ExchangeItem
CreationDate : 2/6/2018 3:39:35 PM
UserIds      : rob.wilcox@mydomain
Operations   : Create
AuditData    : {"CreationTime":"2018-02-06T15:39:35","Id":"f3f641a9-ee7d-4512-f346-08d56d77d337","Operation":"Create","
               OrganizationId":"3d8d2c25-3f01-44c4-8451-55c7edd3d196","RecordType":2,"ResultStatus":"Succeeded","UserKe
               y":"10030000A2078A02","UserType":0,"Version":1,"Workload":"Exchange","UserId":"rob.wilcox@mydomain"
               ,"ClientIPAddress":"86.138.186.83","ClientInfoString":"Client=MSExchangeRPC","ClientProcessName":"OUTLOO
               K.EXE","ClientVersion":"15.0.4701.1000","ExternalAccess":false,"InternalLogonType":0,"LogonType":2,"Logo
               nUserSid":"S-1-5-21-3875625135-3762442642-3260609188-6692264","MailboxGuid":"ed664543-080a-4f46-9200-fa0
               0f1f89e81","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3875625135-3762442642-3
               260609188-8243514","MailboxOwnerUPN":"junk@mydomain","OrganizationName":"mydomain.onmicrosoft.com"
               ,"OriginatingServer":"LOXP123MB1224 (15.20.0464.016)\u000d\u000a","Item":{"Id":"RgAAAAC4iGPlAX1lSIThCQIA
               YsbCBwDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAADAuVyFXM\/SQoeCukWN61U0AAB8KSDqAAAJ","ParentFolder":{"Id":"LgAAAA
               C4iGPlAX1lSIThCQIAYsbCAQDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"test3"}}
ResultIndex  : 3
ResultCount  : 3
Identity     : f3f641a9-ee7d-4512-f346-08d56d77d337
IsValid      : True
ObjectState  : Unchanged

        The subject of the message was 'test3' and the path was indeed 'Inbox'

         

        But when I delete (soft or hard) I don't see those, I don't see them at all.

         

        The query I used is this (though I also tried broader ones as well around this date/time)

         

        search-unifiedauditlog -startdate 02/06/2018 -enddate 02/07/2018 -recordtype 'exchangeitem' -userids 'rob.wi lcox@mydomain.com'

         

Resources