cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Shared Mailbox Deleted by User

lgtyar
Copper Contributor

‎Nov 02 2021 08:46 AM

‎Nov 02 2021 08:46 AM

Shared Mailbox Deleted by User

Hi,

 

Recently we will like to investigate who is the user that had deleted a shared mailbox.

 

Can i know what cmdlet to captured the logs? 

 

Thanks

Labels:
3,767 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Nov 02 2021 09:16 AM

‎Nov 02 2021 09:16 AM

Re: Shared Mailbox Deleted by User

Is this for on-premises or Exchange Online? Generally speaking, you need to check the Exchange Admin Audit log and/or the Unified Audit log in Office 365. You will also need to cover the "AD" part, as they might have deleted the user object directly.
0 Likes
Reply
lgtyar

‎Nov 02 2021 09:21 AM

‎Nov 02 2021 09:21 AM

Re: Shared Mailbox Deleted by User

@Vasil Michev Thanks for reply. It will be EXO. Can you advise if any cmdlets to extract the information on who deleted the shared calendar?
0 Likes
Reply
Vasil Michev

‎Nov 02 2021 09:28 AM

‎Nov 02 2021 09:28 AM

Re: Shared Mailbox Deleted by User

Use this cmdlet to run a search against the Unified audit log:

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operation "Remove-Mailbox"

As mentioned above, you will likely need to cover some additional operations, such as "Delete user.". Check the documentation for more details: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compl...
0 Likes
Reply