SOLVED

Find Audit logs of a mailbox

Copper Contributor

We have noticed that mailboxes of couple of users are converted to shared mailboxes and send as permissions are added to random users in our tenant. We have run a audit search from compliance.microsoft.com using users mail id in users' field and "exchange" in workloads. But the results are related to the activities done by the users in their mailbox like create, edit, delete a mail. Is there any specific to find our who converted those mailboxes to shared mailboxes?

8 Replies
best response confirmed by Charlie933 (Copper Contributor)
Solution
Exchange admin operations are also covered by the Unified audit log, so you probably need to expand your filters. The entries are stored as the actual cmdlet being run, which in this case should be Set-Mailbox.

You can run a more targeted search via PowerShell:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -ResultSize 5 -FreeText "Type" -RecordType 1 -Operations Set-Mailbox

Hi @Vasil Michev,

 

Thank you for the guidance. I've tried running the suggested PowerShell command by setting -resultsize 2000, but unfortunately, it returns operations performed by me and those do not include the converted mailboxes. is there anything i'm missing?

 

Thanks,

Charlie933

Hi @Andres,

Thanks for your response. I have been through the mentioned documentation and tried running the powershell command "Search-AdminAuditLog -Cmdlets Set-Mailbox -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1)" and it returned all the exchange admin activities over the last 90 days. However, we were able to recognise few of the entries as planned activities but there are many entires similar to the mentioned below. We did notice that object modified is returning object-ids inside {} of objectmodified field of the output and cross verified it with the object-ids of the users which are in question but they do not match for any of them.

ObjectModified : NAMPR19A003.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/xx.onmicrosoft.com/SystemMailbox{object-id}
CmdletName : Set-Mailbox
CmdletParameters : {RecoverableItemsQuota, Force, Arbitration, ProhibitSendQuota...}
ModifiedProperties : {} (empty in the output itself)
Caller : ********
ExternalAccess : True
Succeeded : True
Error :
RunDate : 06-09-2023 09:08:37
OriginatingServer : 
ClientIP :
SessionId :
AppId :
ClientAppId :
Identity :
IsValid : True
ObjectState : New


Also why is outlook making changes and why do some results have "*******" (actual entries and not censored for privacy) and "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" in the "caller" field?

Thanks,
Charlie933

Those are "external" or "system" entries, you can filter them out.

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false

If you are looking for the changes made against specific mailbox, also add the -ObjectIds parameter:

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 5 -ExternalAccess:$false -ObjectIds shared2020
@Vasil Michev below commands returns empty for both UPN and azure objectid.

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters Type -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -ResultSize 10 -ExternalAccess:$false -ObjectIds abs@domain

I have Exchange and Group Administrator roles assigned. Does -objectids flag require any additional permissions? because the command seems to be working without -objectids flag but still we do not get the logs of mailboxes we are looking for.

Thanks,
Charlie933
No, no additional permissions. Are you perhaps using Hybrid? If the change was made on-premises, it will not show up in the Exchange Online logs.
The other possibility is that it was done over 90 days ago - this is the longest you can search via this method. Using the Unified audit log search above should cover 180 days minimum.
@Vasil Michev, powershell command mentioned in your first response worked. My mistake was i modified the command to display results of last 90 days since we have only M365 Business Premium licenses. Apparently the changes we were looking for were made 5 months ago and no wonder these didn't turn up with search-adminauditlog cmdlet.

Thanks a lot for your help and time :)

Regards,
Charlie933
1 best response

Accepted Solutions
best response confirmed by Charlie933 (Copper Contributor)
Solution
Exchange admin operations are also covered by the Unified audit log, so you probably need to expand your filters. The entries are stored as the actual cmdlet being run, which in this case should be Set-Mailbox.

You can run a more targeted search via PowerShell:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(1) -ResultSize 5 -FreeText "Type" -RecordType 1 -Operations Set-Mailbox

View solution in original post