Search-UnifiedAuditlogs For Mailbox - Problems
Introduction Like many, I have been faced with an audit search problem on mailboxes. I finally found a solution by searching deeply into the web. In this post I will provide you with Microsoft's documentation, I have tested everything, and it finally works. I also have comments to Microsoft, directly to the product group (with a case Microsoft) but also by the technet article feedback feature. Technical Content We assume that you have all necessary permissions and role to run audit logs search. For Regular mailboxes: if you have no results via GUI, It is possible that in the time interval there is no result. It may happen that the audit is blocked on the mailbox despite the fact that the feature is active. You may use the command http://Search-UnifiedAuditLog documenation]https://learn.microsoft.com/fr-fr/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps with the following parameters: UsersIds : email address Operations : event to be search (https://learn.microsoft.com/en-us/purview/audit-log-activities#exchange-mailbox-activities) Search-UnifiedAuditLog -UserIds <MailboxIdentity> -Operations MoveToDeletedItems, SoftDelete, HardDelete -StartDate "01/01/2025" -EndDate "15/01/2025" Unfortunately, no results appear with powershell. https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-by-users-with-non-e5-licenses, you can find the documentation that describe the symptom and how to resolve it. Even when [mailbox auditing on by default](https://learn.microsoft.com/en-us/purview/audit-mailboxes) is turned on for your organization, you might notice that mailbox audit events for some users aren't found in audit log searches by using the Microsoft Purview portal or the compliance portal, the **Search-UnifiedAuditLog** cmdlet, or the Office 365 Management Activity API. The reason for this is that mailbox audit events is returned only for users with E5 licenses when you use one of the previous methods to search the unified audit log. You must run the following command within Exchange Online : Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $false And then : Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true Now you can search within the GUI or with powershell and you will have some results. For Shared Mailboxes: To search audit logs for a SharedMailbox, you must use the following command, with the parameter *FreeText.* Search-UnifiedAuditLog -StartDate "08/01/2025" -EndDate "11/01/2025" -FreeText (Get-Mailbox -identity <MailboxIdentity>).ExchangeGuid -Operations MoveToDeletedItems` https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-in-a-specific-mailbox-including-shared-mailboxes you can find the article that describes the FreeText parameters, and also decscribes that GUI is not working for SharedMailboxes. Also, using the **User** dropdown list in the audit log search tool or the **Search-UnifiedAuditLog -UserIds** won't return results for activities performed in a shared mailbox. If there are no results and you are sure that there should be, then the same manipulation as described above will have to be done. Disable and then reactivate the audit on the mailbox: Set-Mailbox -Identity <SharedMailboxIdentity> -AuditEnabled:$false Set-Mailbox -Identity <SharedMailboxIdentity> -AuditEnabled:$true Run again the Search-UnifiedAuditLog command. Now you will find results. Conclusion I assume that the "Users" text box in the interface corresponds to the parameter "UserIds" in the cmdlet. And there is no match for the "FreeText" parameter. You can find other articles in my GitHub about Purview https://github.com/trisdev75/MicrosoftPurviewPowerShell script to export Exchange Usage in CSV format used to Audit an Office 365 Tenant
In case of Office 365 usage audit, Exchange Online is a big part of this assessment. The following script will export useful data in simple CSV format. [string]$username = "Admin@yourtenant.onmicrosoft.com" [string]$PwdTXTPath = "C:\SECUREDPWD\ExportedPWD-$($username).txt" $secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath) $adminCreds = New-Object System.Management.Automation.PSCredential $username, $secureStringPwd #$adminCreds = get-credential $ReportPath = "C:\EXCHANGE\Reports\" $data = @() $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-LiveID/ -Credential $adminCreds -Authentication Basic -AllowRedirection Import-PSSession $Session $MbxUsers = get-mailbox -resultsize unlimited #$MbxUsers = get-mailbox # < for testing only first 1000 mailbox #$MbxUsers = get-mailbox -RecipientTypeDetails SharedMailbox -resultsize 50 # < for testing only first 50 shared MB foreach($user in $mbxusers) { $UPN = $user.userprincipalname $Mbx = Get-MailboxStatistics $UPN $TotalMBSize = [math]::Round((($Mbx.TotalItemSize.Value.ToString()).Split("(")[1].Split(" ")[0].Replace(",","")/1MB),2) #"69.48 MB (72,854,427 bytes)" Write-host " >> MailBox UPN:", $user.userprincipalname, "- MailBoxType:", $user.RecipientTypeDetails, "- Mailbox ItemNumber:", $Mbx.ItemCount -ForegroundColor Magenta Write-host " >> MailBox Size Text:", $Mbx.TotalItemSize ," - MailBox SizeMB:", $TotalMBSize Write-host " >> ProhibitSendQuota:", $user.ProhibitSendQuota, "- ProhibitSendReceiveQuota:", $user.ProhibitSendReceiveQuota $Properties = @{ Logoff = $Mbx.lastlogofftime Logon = $Mbx.lastlogontime IsEncrypted = $Mbx.IsEncrypted ProhibitSendReceiveQuotaMB = $user.ProhibitSendReceiveQuota ProhibitSendQuotaMB = $user.ProhibitSendQuota TotalSizeMB = $TotalMBSize.ToString() ItemCount = $Mbx.ItemCount IsArchiveMailbox = $Mbx.IsArchiveMailbox RecipientTypeDetails = $user.RecipientTypeDetails Alias = $user.alias UPN = $user.userprincipalname Displayname = $Mbx.Displayname Name = $user.name } $data += New-Object psobject -Property $properties } $datestring = (get-date).ToString("yyyyMMdd-hhmm") $fileName = Join-Path -Path $ReportPath -ChildPath $("ExchangeMailbox_"+ $datestring + ".csv") Write-host " -----------------------------------------" -ForegroundColor Green Write-Host (" >>> writing to file {0}" -f $fileName) -ForegroundColor Green $data | Select-Object Name,Displayname,UPN,Alias,RecipientTypeDetails,IsArchiveMailbox,IsEncrypted,ItemCount,TotalSizeMB,ProhibitSendQuotaMB,ProhibitSendReceiveQuotaMB,Logon,Logoff | Export-csv $fileName -NoTypeInformation -enc utf8 Write-host " -----------------------------------------" -ForegroundColor Green Remove-PSSession $Session You can adapt that script as you need, based on your own requirements Fabrice Romelard French version: http://blogs.developpeur.org/fabrice69/archive/2019/02/25/office-365-script-powershell-pour-auditer-l-usage-d-exchange-online-de-votre-tenant.aspx Source used: http://www.cloudpartner.fi/?p=350 https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/get-mailboxstatistics?view=exchange-ps https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/get-mailbox?view=exchange-ps https://support.citrix.com/article/CTX229565 http://www.vdberge.com/kennisbank/office-365-error-the-term-get-mailbox-is-not-recognized/ https://4sysops.com/archives/sort-exchange-and-office-365-mailboxes-by-size-with-powershell/
