Forum Discussion
Find Audit logs of a mailbox
We have noticed that mailboxes of couple of users are converted to shared mailboxes and send as permissions are added to random users in our tenant. We have run a audit search from compliance.microsoft.com using users mail id in users' field and "exchange" in workloads. But the results are related to the activities done by the users in their mailbox like create, edit, delete a mail. Is there any specific to find our who converted those mailboxes to shared mailboxes?
- Exchange admin operations are also covered by the Unified audit log, so you probably need to expand your filters. The entries are stored as the actual cmdlet being run, which in this case should be Set-Mailbox.
You can run a more targeted search via PowerShell:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -ResultSize 5 -FreeText "Type" -RecordType 1 -Operations Set-Mailbox
- Exchange admin operations are also covered by the Unified audit log, so you probably need to expand your filters. The entries are stored as the actual cmdlet being run, which in this case should be Set-Mailbox.
You can run a more targeted search via PowerShell:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -ResultSize 5 -FreeText "Type" -RecordType 1 -Operations Set-MailboxHi VasilMichev,
Thank you for the guidance. I've tried running the suggested PowerShell command by setting -resultsize 2000, but unfortunately, it returns operations performed by me and those do not include the converted mailboxes. is there anything i'm missing?
Thanks,
Charlie933
Hi @Andres,
Thanks for your response. I have been through the mentioned documentation and tried running the powershell command "Search-AdminAuditLog -Cmdlets Set-Mailbox -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1)" and it returned all the exchange admin activities over the last 90 days. However, we were able to recognise few of the entries as planned activities but there are many entires similar to the mentioned below. We did notice that object modified is returning object-ids inside {} of objectmodified field of the output and cross verified it with the object-ids of the users which are in question but they do not match for any of them.
ObjectModified : NAMPR19A003.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/xx.onmicrosoft.com/SystemMailbox{object-id}
CmdletName : Set-Mailbox
CmdletParameters : {RecoverableItemsQuota, Force, Arbitration, ProhibitSendQuota...}
ModifiedProperties : {} (empty in the output itself)
Caller : ********
ExternalAccess : True
Succeeded : True
Error :
RunDate : 06-09-2023 09:08:37
OriginatingServer :
ClientIP :
SessionId :
AppId :
ClientAppId :
Identity :
IsValid : True
ObjectState : New
Also why is outlook making changes and why do some results have "*******" (actual entries and not censored for privacy) and "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" in the "caller" field?
Thanks,
Charlie933- Those are "external" or "system" entries, you can filter them out.
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false
If you are looking for the changes made against specific mailbox, also add the -ObjectIds parameter:
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false -ObjectIds shared2020
