Check who deleted or move an email item

January 7, 2020 | by iaur | posted as Compliance, Exchange Online

Requisite: Exchange Mailbox Audit SHOULD BE enabled

  1. Connect to EXO PowerShell
  1. Run the ff.cmdlets
Search-MailboxAuditLog -Identity “targetuser@domain.com” -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 10/21/2019 -EndDate 10/23/2019  | Export-CSV C:\AuditResult.csv
  1. AuditResults.csv will be located at C:\ drive
  2. Parsing results
Machine generated alternative text:
AutoSave 
KB7 
Operation 
SoftDeIete 
Create 
Create 
Create 
SoftDeI ete 
• Off 
Page Layout 
OperationResuIt LogonType 
AuditResuIt14 
Folderld 
Lg.é.é.éA4HAl 
Lg.é.é.éA4HAl 
Lg.é.é.éA4HAl 
Lg.é.é.éA4HAl 
Lg.é.é.éA4HAl 
- Read-Only • 
m.c ou 
Bernie Fernandez 
8 Share 
Commer 
FolderPathName 
unbox 
unbox 
Clientl PAddress 
MailboxOwnerLlPN 
user2@faceresionermxgz 
user2@faceresionermxgz 
user2@faceresionermxgz 
user2@faceresionermxgz 
user2@faceresionermxgz 
LogonLlserDispIayName Last4ccessed 
Succeeded 
Succeeded 
Succeeded 
Succeeded 
Succeeded 
Delegate 
Delegate 
Delegate 
Delegate 
Delegate 
Bernie Fernandez 
Bernie Fernandez 
Bernie Fernandez 
Bernie Fernandez 
Bernie Fernandez 
1/7/2020 20:35 
1/7/2020 20:35 
1/7/2020 20:35 
1/7/2020 20:35 
1/7/2020 20:35

From the result, you could use subject to find the specific column, then you could check InternalLogonType. it could show the owner, delegate or admin deleted this email. LogonUserDisplayName shows the user name who deleted this email. Operation describes the action performed.

Reference:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-mailboxauditlog?view=exchange-ps

https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019

Feedback or Help?

Should you have one, click here

Boring Ads. Pardon me :)