Audit log search no longer works for shared mailboxes

%3CLINGO-SUB%20id%3D%22lingo-sub-771225%22%20slang%3D%22en-US%22%3EAudit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771225%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20was%20working%20find%20then%20stopped%20last%20month%20some%20time%20-%20now%20gives%20no%20results.%20After%20backwards%20and%20forwards%20with%20support%20see%20the%20response%20we%20received%20from%20them%20below.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22As%20earlier%20advised%20the%20changes%20are%20made%20recently%20by%20the%20programming%20team%20after%20which%20non%20license%20mailbox%20user%20will%20be%20able%20to%20see%20O365%20Admin%20logs%20from%20power%20shell%20and%20EAC%20and%20will%20not%20be%20able%20to%20see%20Unified%20audit%20logs%20from%20SCC%20and%20power%20shell.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20does%20not%20seem%20plausible%20to%20me%20but%20I%20would%20like%20to%20get%20some%20feedback%20from%20the%20rest%20of%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-771225%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAudit%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eshared%20mailbox%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771500%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771500%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343416%22%20target%3D%22_blank%22%3E%40SuleimanDaCosta%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20not%20a%20Valid%20Justification%20and%20i%20have%20tested%20this%20on%20my%20Tenant%20and%20it%20is%20working%20for%20a%20Non-Licensed%20Global%20Admin%20%26amp%3B%20Compliance%20Admin.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771550%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%20Are%20you%20able%20to%20test%20this%20against%20a%20shared%20mailbox%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771565%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771565%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343416%22%20target%3D%22_blank%22%3E%40SuleimanDaCosta%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYep%2C%20i%20will%20test%20in%20few%20hours%2C%20travelling%20right%20now%20and%20would%20confirm%20asap.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772033%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772033%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20a%20bit%20unclear%20on%20that%20statement.%20Are%20they%20saying%2C%20that%20audit%20events%20generated%20for%20(unlicensed)%20shared%20mailboxes%20no%20longer%20flow%20to%20the%20Unified%20log%2C%20and%20you%20have%20to%20use%20the%20Exchange%20tools%20to%20work%20with%20them%3F%20Which%20I%20guess%20is%20also%20what%20you%20are%20complaining%20about%20in%20this%20thread%3F%20If%20so%20-%20I%20just%20run%20a%20test%20on%20my%20tenant%2C%20and%20I%20can%20see%20events%20for%20shared%20mailboxes%20just%20fine%20in%20the%20Unified%20log.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20are%20they%20saying%20that%20in%20order%20to%20see%20Exchange%20mailbox%20audit%20events%20in%20the%20Unified%20log%2C%20you%20need%20to%20run%20the%20search%20with%20an%20licensed%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772284%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772284%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343416%22%20target%3D%22_blank%22%3E%40SuleimanDaCosta%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20able%20to%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Search%20for%20Unified%20Audit%20logs%20of%20an%20Unlicensed%20Mailbox%20in%20Security%20%26amp%3B%20Compliance%20Center.%3C%2FP%3E%3CP%3E2.%20Search%20for%20Logs%20using%20an%20Unlicensed%20Global%20Admin.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20tells%20me%20whatever%20you%20have%20been%20told%20is%20not%20justified.%20If%20Microsoft%20did%20really%20says%20something%20it%20is%20backed%20up%20by%20a%20Product%20Update%20number%20which%20also%20reflects%20on%20the%20Message%20Center%20under%20Office%20365%20Admin%20center.%20Ask%20for%20that%20and%20please%20do%20update%20here%20once%20received.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearly%20looks%20like%20some%20miscommunication%20here%20from%20somewhere.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-773015%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773015%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThey%20are%20saying%20that%20even%20though%20we%20have%20logging%20turned%20on%20for%20all%20types%20of%20mailboxes%2C%20we%20cannot%20get%20results%20for%20shared%20mailboxes%20because%20they%20are%20unlicensed.%20I%20want%20to%20be%20able%20to%20tell%20who%20moved%2C%20deleted%2C%20etc%20any%20emails%20in%20a%20shared%20mailbox%20which%20we%20cannot%20do%20at%20the%20moment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%20I%20completely%20agree%20with%20you%20and%20I%20could%20not%20find%20any%20documentation%20to%20back%20up%20what%20they%20told%20us.%20Thank%20you%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-773914%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773914%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20considering%20both%20me%20and%20ankit%20seem%20to%20have%20no%20trouble%20fetching%20audit%20records%20for%20shared%20mailbox%20in%20the%20Unified%20log%2C%20I%20call%20bull**bleep**.%20Either%20ask%20them%20to%20point%20you%20to%20official%20statement%20on%20the%20subject%2C%20or%20get%20them%20to%20escalate%20it%20as%20an%20obvious%20issue%20in%20your%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1172432%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172432%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F343416%22%20target%3D%22_blank%22%3E%40SuleimanDaCosta%3C%2FA%3E%26nbsp%3BI%20know%20this%20is%20an%20old%20thread%20but%20i'm%20having%20the%20same%20issue.%26nbsp%3B%20i%20have%20full%20auditing%20but%20if%20i%20put%20in%20the%20shared%20mailbox%20address%20in%20Audit%20Log%20Search%20GUI%20in%20O365%20Admin%20center%2C%20i%20get%20no%20results%20for%20anything%20and%20I%20need%20to%20see%20who%20deleted%20an%20item.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F18824797-shared-mailbox-audit-option-to-see-all-activity-in%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20this%20thread%3C%2FA%3E%20too%20which%20makes%20me%20think%20this%20is%20NOT%20in%20place%20-%20but%20others%20have%20said%20they%20can%20do%20this.%26nbsp%3B%20Can%20anyone%20having%20success%20with%20this%20provide%20how%20they%20are%20doing%20this%3F%20I%20just%20need%20to%20find%20out%20who%20deleted%20a%20folder%20on%20a%20shared%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230906%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230906%22%20slang%3D%22en-US%22%3E%3CP%3ECould%20you%20please%20tell%20me%20how%20you%20could%20search%20for%20unified%20audit%20logs%20of%20an%20unlicensed%20mailbox%20in%20Security%20%26amp%3B%20Compliance%20center%3F%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231376%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20log%20search%20no%20longer%20works%20for%20shared%20mailboxes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231376%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F583285%22%20target%3D%22_blank%22%3E%40ShikoBiko%3C%2FA%3E%26nbsp%3BSorry%20was%20sick%20%2C%20so%20couldn't%20reply%20in%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProtection.office.com%20%26lt%3B%20Search%26nbsp%3B%20%26lt%3B%20Audit%20Logs%26nbsp%3B%3CBR%20%2F%3EThen%20Select%20Stat%20and%20end%20date%20(time%20if%20you%20are%20sure%20when%20and%20what%20may%20have%20happened%20)%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20user%20section%20field%2C%20Enter%20PrimarySMTP%20or%20UPN%20of%20the%20Shared%20mailbox%20you%20are%20looking%20to%20audit.%3C%2FP%3E%3CP%3ERun%2FSearch%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBingo%20!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

It was working find then stopped last month some time - now gives no results. After backwards and forwards with support see the response we received from them below. 

 

"As earlier advised the changes are made recently by the programming team after which non license mailbox user will be able to see O365 Admin logs from power shell and EAC and will not be able to see Unified audit logs from SCC and power shell."

 

This does not seem plausible to me but I would like to get some feedback from the rest of you.

10 Replies
Highlighted

@SuleimanDaCosta 

 

This is not a Valid Justification and i have tested this on my Tenant and it is working for a Non-Licensed Global Admin & Compliance Admin.

 

Thanks

Ankit Shukla

 

Highlighted

@ankit shukla 

 

Thank you. Are you able to test this against a shared mailbox?

Highlighted

@SuleimanDaCosta 

 

Yep, i will test in few hours, travelling right now and would confirm asap.

 

Cheers !

Ankit Shukla

 

Highlighted

I'm a bit unclear on that statement. Are they saying, that audit events generated for (unlicensed) shared mailboxes no longer flow to the Unified log, and you have to use the Exchange tools to work with them? Which I guess is also what you are complaining about in this thread? If so - I just run a test on my tenant, and I can see events for shared mailboxes just fine in the Unified log.

 

Or are they saying that in order to see Exchange mailbox audit events in the Unified log, you need to run the search with an licensed account?

Highlighted

@ankit shukla  @SuleimanDaCosta  

I'm able to 

 

1. Search for Unified Audit logs of an Unlicensed Mailbox in Security & Compliance Center.

2. Search for Logs using an Unlicensed Global Admin.

 

This tells me whatever you have been told is not justified. If Microsoft did really says something it is backed up by a Product Update number which also reflects on the Message Center under Office 365 Admin center. Ask for that and please do update here once received.

 

Clearly looks like some miscommunication here from somewhere.

 

Cheers !!

Ankit Shukla

 

Highlighted

@Vasil Michev They are saying that even though we have logging turned on for all types of mailboxes, we cannot get results for shared mailboxes because they are unlicensed. I want to be able to tell who moved, deleted, etc any emails in a shared mailbox which we cannot do at the moment.

 

@ankit shukla  I completely agree with you and I could not find any documentation to back up what they told us. Thank you for your help.

Highlighted

Well considering both me and ankit seem to have no trouble fetching audit records for shared mailbox in the Unified log, I call bull**bleep**. Either ask them to point you to official statement on the subject, or get them to escalate it as an obvious issue in your tenant.

Highlighted

@SuleimanDaCosta I know this is an old thread but i'm having the same issue.  i have full auditing but if i put in the shared mailbox address in Audit Log Search GUI in O365 Admin center, i get no results for anything and I need to see who deleted an item.

 

I found this thread too which makes me think this is NOT in place - but others have said they can do this.  Can anyone having success with this provide how they are doing this? I just need to find out who deleted a folder on a shared mailbox.

Could you please tell me how you could search for unified audit logs of an unlicensed mailbox in Security & Compliance center?? @ankit shukla 

Highlighted

@ShikoBiko Sorry was sick , so couldn't reply in time.

 

Protection.office.com < Search  < Audit Logs 
Then Select Stat and end date (time if you are sure when and what may have happened ) 

In the user section field, Enter PrimarySMTP or UPN of the Shared mailbox you are looking to audit.

Run/Search

 

Bingo !!

 

Cheers :)