Forum Discussion
lgtyar
Nov 02, 2021Copper Contributor
Shared Mailbox Deleted by User
Hi,
Recently we will like to investigate who is the user that had deleted a shared mailbox.
Can i know what cmdlet to captured the logs?
Thanks
- Is this for on-premises or Exchange Online? Generally speaking, you need to check the Exchange Admin Audit log and/or the Unified Audit log in Office 365. You will also need to cover the "AD" part, as they might have deleted the user object directly.
- lgtyarCopper ContributorVasilMichev Thanks for reply. It will be EXO. Can you advise if any cmdlets to extract the information on who deleted the shared calendar?
- Use this cmdlet to run a search against the Unified audit log:
Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operation "Remove-Mailbox"
As mentioned above, you will likely need to cover some additional operations, such as "Delete user.". Check the documentation for more details: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#user-administration-activities