Forum Discussion

Copper Contributor

Dec 16, 2022

Finding who deleted a message from a Microsoft 365 Group

We recently had a very bad experience, in a Microsoft 365 group, a user deleted all emails by mistake. The recover has been done via PowerScript, but how do we find which user did the wrong action, i...

stathisgrig

Copper Contributor

Dec 18, 2022

I searched and found the ExchangeGUID of the Microsoft 365 Group with Get-EXOMailboxStatistics but Search-UnifiedAuditLog don't display anything . Is there any log for the users in the MS 365 E3 licenses by default ?
Problem is that I cannot find something to see log files for accessing or deleting messages from the users to Microsoft 365 Groups

VasilMichev

MVP

Dec 18, 2022

Accessing items is not audited for Groups, deleting items is. You can refer to the following table for more details: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide#mailbox-actions-for-microsoft-365-group-mailboxes

If the above query doesn't return any details, you can try extending the date range. And double-check the ExchangeGUID value, Alternatively, you can try exporting the full set of audit records, either via PowerShell or the UI, and filter the results afterwards. Here's how to do this via the UI: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide

stathisgrig
Copper Contributor
Dec 18, 2022
So , is there a powershell command to find users, time that deleted from a microsoft 365 group messages? Tried many commands but nothing .... Also searched Audit from BS 365 Defender or Azure nothing als ... or something I do wrong...
- VasilMichev
  MVP
  Dec 19, 2022
  The cmdlet above should work. Here's an example from my tenant:
  
  If you are not getting any results, expand the search criteria. Remove the -RecordType parameter to cover even more scenarios.