Forum Discussion
Auditing an O365 shared mailbox
I have turned on auditing on an Office 365 shared mailbox, but when I do a search at the audit logs I get zero results.
I've expanded from the standard auditing and added the parameters "harddelete...
I started with-
set-mailbox -identity "name" -auditenabled $true
then i specified actions with-
set-mailbox "name" -auditdelegate @{add="softdelete", "harddelete"}
After i checked with-
get-mailbox "name" | FL Audit*
following VasilMichev's reply, please perform a search using Search-MailboxAuditLog cmdlet
https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx
Also, you can try searching audit logs in Security and Compliance center, or by running Search-UnifiedAuditLog cmdlet
I have also tested this a little bit in a lab environment.
If I drag and drop items from my normal mailbox to a shared mailbox, then I see 'create' events:
RecordType : ExchangeItem CreationDate : 2/6/2018 3:39:35 PM UserIds : rob.wilcox@mydomain Operations : Create AuditData : {"CreationTime":"2018-02-06T15:39:35","Id":"f3f641a9-ee7d-4512-f346-08d56d77d337","Operation":"Create"," OrganizationId":"3d8d2c25-3f01-44c4-8451-55c7edd3d196","RecordType":2,"ResultStatus":"Succeeded","UserKe y":"10030000A2078A02","UserType":0,"Version":1,"Workload":"Exchange","UserId":"rob.wilcox@mydomain" ,"ClientIPAddress":"86.138.186.83","ClientInfoString":"Client=MSExchangeRPC","ClientProcessName":"OUTLOO K.EXE","ClientVersion":"15.0.4701.1000","ExternalAccess":false,"InternalLogonType":0,"LogonType":2,"Logo nUserSid":"S-1-5-21-3875625135-3762442642-3260609188-6692264","MailboxGuid":"ed664543-080a-4f46-9200-fa0 0f1f89e81","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3875625135-3762442642-3 260609188-8243514","MailboxOwnerUPN":"junk@mydomain","OrganizationName":"mydomain.onmicrosoft.com" ,"OriginatingServer":"LOXP123MB1224 (15.20.0464.016)\u000d\u000a","Item":{"Id":"RgAAAAC4iGPlAX1lSIThCQIA YsbCBwDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAADAuVyFXM\/SQoeCukWN61U0AAB8KSDqAAAJ","ParentFolder":{"Id":"LgAAAA C4iGPlAX1lSIThCQIAYsbCAQDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"test3"}} ResultIndex : 3 ResultCount : 3 Identity : f3f641a9-ee7d-4512-f346-08d56d77d337 IsValid : True ObjectState : UnchangedThe subject of the message was 'test3' and the path was indeed 'Inbox'
But when I delete (soft or hard) I don't see those, I don't see them at all.
The query I used is this (though I also tried broader ones as well around this date/time)
search-unifiedauditlog -startdate 02/06/2018 -enddate 02/07/2018 -recordtype 'exchangeitem' -userids 'rob.wi lcox@mydomain.com'
