Forum Discussion
stathisgrig
Dec 16, 2022Copper Contributor
Finding who deleted a message from a Microsoft 365 Group
We recently had a very bad experience, in a Microsoft 365 group, a user deleted all emails by mistake. The recover has been done via PowerScript, but how do we find which user did the wrong action, is there a log file to find who deleted all the messages?
5 Replies
- You should be able to run an Unified aduit log query for that: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide
Something like this should do:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -FreeText 6af149c3-xxxx-xxxx-xxxx-7d2daa61e83d -RecordType ExchangeItem
where you have to provide the ExchangeGUID value for the group (not the same thing as the ExternalDirectoryObjectId or other identifiers)- stathisgrigCopper ContributorI searched and found the ExchangeGUID of the Microsoft 365 Group with Get-EXOMailboxStatistics but Search-UnifiedAuditLog don't display anything . Is there any log for the users in the MS 365 E3 licenses by default ?
Problem is that I cannot find something to see log files for accessing or deleting messages from the users to Microsoft 365 Groups- Accessing items is not audited for Groups, deleting items is. You can refer to the following table for more details: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide#mailbox-actions-for-microsoft-365-group-mailboxes
If the above query doesn't return any details, you can try extending the date range. And double-check the ExchangeGUID value, Alternatively, you can try exporting the full set of audit records, either via PowerShell or the UI, and filter the results afterwards. Here's how to do this via the UI: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide