If you use a shared mailbox and sometimes wonder who deleted some of the emails from the inbox, you can search the audit log to find out.
Before you go any further, check if you have turned on the Audit Log Search in your tenant first.
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
If you haven’t, do this to turn it on.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
To do the search, you can either go through the Compliance Portal or use the PowerShell cmdlet.
- Sign into the Compliance Portal
- Go to the Audit tab on the left panel
- Select the New Search tab at the top of the Audit page.
Then configure the search criteria as applicable. It took me some time to figure it out and then a few tries to get my result.
Check details on how to perform the search here.
Obviously, as always, using PowerShell cmdlets or scripts makes things much easier. Check out this script from Microsoft to get started on how it works. But if you like a more powerful script that works out of the box. Give this a serious look.
For example, I used it to check if any email deletions were happening after May 30, 2024 from a mailbox called overtime.
./auditdeleteemails.ps1 -mailbox "overtime" -StartDate 05/30/2024
It saves the result in a CSV file for you to review.