Dec 04 2023 11:24 AM
We have noticed that mailboxes of couple of users are converted to shared mailboxes and send as permissions are added to random users in our tenant. We have run a audit search from compliance.microsoft.com using users mail id in users' field and "exchange" in workloads. But the results are related to the activities done by the users in their mailbox like create, edit, delete a mail. Is there any specific to find our who converted those mailboxes to shared mailboxes?
Dec 04 2023 11:38 PM
SolutionDec 05 2023 02:16 AM
Hi @VasilMichev,
Thank you for the guidance. I've tried running the suggested PowerShell command by setting -resultsize 2000, but unfortunately, it returns operations performed by me and those do not include the converted mailboxes. is there anything i'm missing?
Thanks,
Charlie933
Dec 05 2023 02:29 AM - edited Dec 10 2023 05:33 AM
Hi @Andres,
Thanks for your response. I have been through the mentioned documentation and tried running the powershell command "Search-AdminAuditLog -Cmdlets Set-Mailbox -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1)" and it returned all the exchange admin activities over the last 90 days. However, we were able to recognise few of the entries as planned activities but there are many entires similar to the mentioned below. We did notice that object modified is returning object-ids inside {} of objectmodified field of the output and cross verified it with the object-ids of the users which are in question but they do not match for any of them.
ObjectModified : NAMPR19A003.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/xx.onmicrosoft.com/SystemMailbox{object-id}
CmdletName : Set-Mailbox
CmdletParameters : {RecoverableItemsQuota, Force, Arbitration, ProhibitSendQuota...}
ModifiedProperties : {} (empty in the output itself)
Caller : ********
ExternalAccess : True
Succeeded : True
Error :
RunDate : 06-09-2023 09:08:37
OriginatingServer :
ClientIP :
SessionId :
AppId :
ClientAppId :
Identity :
IsValid : True
ObjectState : New
Also why is outlook making changes and why do some results have "*******" (actual entries and not censored for privacy) and "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" in the "caller" field?
Thanks,
Charlie933
Dec 05 2023 07:58 AM
Dec 05 2023 09:45 AM
Dec 05 2023 11:25 PM
Dec 06 2023 02:04 AM
Dec 04 2023 11:38 PM
Solution