Most admins wonder how to find out whodeletedan emailfromamailbox? If you are one of them, this blog is for you.
How to Determine If a User Deleted Email Items:
Usersdeletetheemails either by accident oronpurpose.As an admin, you can usetheaudit log toidentifydeleted emails in Office 365.Microsoft has turned on mailbox audit logging by default forcertain actionsfrom Jan 2019. If your tenant has created before2019 or you want to audit all the mailbox actions, you mustenable mailbox auditingthrough PowerShell.
To track the deleted email, youneed to filter out the audit log for the following actions, which are audited by default:
MoveToDeletedItems– Moved emails to deleted items.
SoftDelete–Deleted message fromdeleted items folder
HardDelete– Purgedmessages from RecoverableItems folder
How to Find Out Who Deleted Email fromaMailbox?
You can use either Audit logsearch (UI) or PowerShell to see who deleted an email in Outlook.
Audit log search:In the audit log search, you can filter outthe above-mentioned‘message delete events’to track the deleted emails.Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like email subject,folder,and result status at aglance. Those attributes are formatted asaJSON object, which needs to be parsed for further information.
PowerShell:You can useSearch-UnifiedAuditLogSearchcmdlet toauditemail deletion.But, retrieving audit logsusing PowerShell has more challenges. For example, if you don’t retrieve the audit logs properly, you will end up with data lossandsession time outerror.So, youare required tospend more timeoptimizingthe PowerShell code.
To ease your work, we have created a PowerShell script to investigate email deletion issues more efficiently.
Download Script: AuditDeletedEmails.ps1
Script Highlights:
- The script usesmodern authenticationto retrieve audit logs.
- The script can be executed withMFA enabled accounttoo.
- Exports report results toCSVfile.
- Allows you totrack all the deleted emails.
- Helps to find out who deleted email fromashared mailbox.
- Allows you to generate an email deletion audit report for acustom period.
- Automaticallyinstalls the EXO V2 module(if not installed already) upon your confirmation.
- The script isscheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.
Audit Email Deletion Report – Sample Output:
The exported report contains Email Deletion Time, Type of Deletion, Target Mailbox, Deleted By, No. of Emails Deleted, Email Subjects, Folder, Result Status and other Audit Info.
Audit Deleted Emails in Office 365 – Script Execution
To run the script, you can choose any one of the below methods.
Method 1: Execute script with MFA and non-MFA account
PowerShell
1 | .\AuditDeletedEmails.ps1 |
Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).
PowerShell
1 | .\AuditDeletedEmails.ps1 -UserName admin@contoso.com -Password XXX |
If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
More use-cases of ‘Audit Deleted Emails’ PowerShell script:
Thescript supports the following in-builtparams to schedule and generate more granular report.
- Mailbox–>Getsdeleted emails fromaspecific mailbox
- Subject–> Identifies deleted emails by subject.
- StartDateandEndDate–>Generatesaudit report foracustom period
- UserName andPassword–>Schedulesthe PowerShell script without interactive login.
By using above-mentioned params,I haveformedfew use-cases of this script below,
- Track all the deleted emails – Who deleted what message and when
- How to find out who deleted emails fromashared mailbox
- Audit deleted emails fromaspecific mailbox
- Find deleted emails by their subject
- Auditemail deletion for custom period
- Schedule ‘Deleted email audit report’
- Get a monthly report on deleted emails
Track All the Deleted Emails – Who Deleted What Message and When:
Users might delete ormovecritical business emails to deleted items unknowingly. So, admins need to identify the Exchange emails that were deleted or moved to deleted items in theirorganization.
By default, the script will track all the deleted emails in the last 90 days.
PowerShell
1 | .\AuditDeletedEmails.ps1 |
The exported audit report provides a clear view of who deleted the email, from which mailbox, what message, and when. By referring to this report, admins can recover the deleted emails based on the requirement.
How to Find out Who Deleted Emails from Shared mailbox:
Since the shared mailboxes can be accessed by multiple users(I.e.,shared mailbox delegates), it’s necessary to identify the user whohasdeletedan email fromashared mailbox.To view who have permission on shared mailboxes, you can refer our blog post onget shared mailboxdelegates.
Totrack whodeleted emailsfromashared mailbox, run the script with –Mailbox param.
PowerShell
1 | .\AuditDeletedEmails.ps1 -Mailbox Marketing@contoso.com |
The exported report shows the deleted emails in‘[email protected]’mailbox for the past 90 days.
AuditWhoDeleted Emails from aSpecificMailbox:
An organization may have requirements to allowsome usersto accessanother user’s mailbox.So, the emails can be deleted bymailboxdelegatesand owners.You can generateamailbox permission reportto know the mailbox delegates.
Toaudit email deletion inaspecificmailbox, run the script with –Mailbox param.
PowerShell
1 | .\AuditDeletedEmails.ps1 -Mailbox John@contoso.com |
The above example retrieves the deleted emails from the John’s mailbox forthe last 90 days.
FindDeleted Emails by Subject:
If you want to find an important emailfrom thepool ofdeleted emails, you can filter out the emails by subject (a word or phrase thatthe subject contains).
To identify deleted emails by subject, run the script with –Subject param as follows,
PowerShell
1 | .\AuditDeletedEmails.ps1 -Subject “Status” |
It will list all the deleted emails, which have ‘status’ in their subject.
Audit Email Deletion for a Custom Period:
By default, thescript will generatetheaudit report forthepast 90 days. If you want to generateanemail audit report for a specific time range, you can run the script with –StartDate and –EndDateparams.
PowerShell
1 | .\AuditDeletedEmails.ps1 -StartDate 7/25/21 -EndDate 8/01/21 |
The above formatgetsallthe emailsdeletedbetweenJuly 25, 2021,andAug 01, 2021.
PowerShell
1 | .\AuditDeletedEmails.ps1 -StartDate 7/15/21 -EndDate 7/30/21 -Mailbox John@contoso.com |
This example retrievesall thedeleted emailsfrom John’s mailbox between July 15, 2021,and July 30, 2021.
Schedule ‘Deleted Emails Audit Report’:
Since the ‘Search-UnifiedAuditLog‘ can keepanaudit log for 90 days, you may require old data for analysis.
In that case, scheduling will help you to keep the audit log foralonger period.To run this script asPowerShell scheduled task, you can use the below format in the Windows Task Scheduler.
PowerShell
1 | .\AuditDeletedEmails.ps1 -UserName admin@contoso.com -Password XXX |
Note: You might have read our earlier blog post on “Office 365 keeps audit log for 365 days for all the subscriptions”. But we haven’t retrieved 365 days of audit data in this script. We will update our script once Microsoft announces it officially.
Get a Monthly Report on Email Deletion:
To get a monthly report on deleted emails, run the script as follows,
PowerShell
1 | .\AuditDeletedEmails.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserName admin@contoso.com -Password XXX |
You can also use the above format to get scheduled monthly report.
Audit Email Deletion in a More Effective Way:
By using PowerShell filters and conditions, admins can customize the script based on their needs. But, It requires a lot of time and PowerShell knowledge. WithAdminDroid Office 365 auditing tool, you can get the reports in a few mouse clicks. Also, you can slice and dice the data by using contextual filters and graphs.
For example,
- When was the mail deleted? – You can select a specific date or week or a custom period.
- Who deleted emails? – You can filter out emails that are deleted by a specific user or list of users.
- What operation was performed? – You can identify deleted emails based on the deletion methods such as soft delete, hard delete, move to deleted items folder, etc.
- View deleted emails from a specific mailbox – You can find out who deleted an email from a specific mailbox.
The report providesAI-powered graphical analysisto gain insights and better understand the data in a visually appealing manner.
AdminDroid provides1500+pre-built reports and 20 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
Additionally, AdminDroid offers100+ reports and dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting. DownloadFree Office365 reporting tool by AdminDroidand see how it helps for you.
I hope this blog will you toidentify who deleted an emailfrom a mailbox. Ifyoufind any user’s activity suspicious, you canmonitorthe user’s activityto protect your organization from maliciousintent.