How to investigate missing or unexpectedly updated mailbox items by using mailbox audit logging in Office 365 dedicated

Article translations Article translations
Article ID: 2792663
Expand all | Collapse all

On This Page

Symptoms

Items in a mailbox are updated unexpectedly or items are missing from a mailbox in Microsoft Office 365 dedicated.

Cause

This issue occurs because items may be moved or deleted unexpectedly or incorrectly.

Resolution

To resolve this issue, use the Run-MailboxAuditLogSearcher Windows PowerShell script, and customize a search. You can use this script to investigate actions that are performed by non-owners and administrators. This script will export content in a simplified, comma-separated values (.csv) file to help you troubleshoot reports about items that are missing or that are updated unexpectedly.

Important Customers are encouraged to use the script that is provided by Microsoft Online Services to help in certain investigations. Microsoft Online Services scripts are generic, and they are expected to be usable in all customer environments. If errors occur when a script is executed, the content of the script should be used as an example to create a customized script for a particular customer environment. Microsoft Online Services provides the script as a convenience to O365-D/ITAR customers without warranty, expressed or implied.

Step 1: Run the script

To run the Run-MailboxAuditLogSearcher script, follow these steps:
  1. Start Notepad, and then copy the code from the "More Information" section into the Notepad file.
  2. On the File menu, click Save As.
  3. In the Save as type box, click All Files.
  4. In the File name box, type Run-MailboxAuditLogSearcher.ps1, and then click Save.
  5. Start Windows PowerShell, and then connect to Windows Remote PowerShell.
  6. Locate the directory in which you saved the script, and then run the script.

    Notes
    • If you run the script without parameters, you are prompted for the following default parameters:
      • Mailbox
      • StartDate
      • EndDate
    • To search for entries from the current day, add one day to the end-date value in the prompt window. For example, if the current date is March 14, 2012, and you want to include the current day in your search, enter 4/15/2012 as the end date.

Step 2: Customize a mailbox audit log search

Mailbox audit logging

Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators. Mailbox audit logging is available to members of the Audit Reporting Mailbox self-service group only by using Windows Remote PowerShell.

Note By default, only non-owner mailbox audit logging is enabled, and owner mailbox audit logging is disabled. If you have to perform owner mailbox audit logging to investigate a specific issue, you can be temporarily enable the process for a two-week period.

To search mailbox audit log entries, as appropriate for your situation, use one of the following methods:
  • Search a single mailbox synchronously. To do this, run the following cmdlet in Windows Remote PowerShell:
    Search-MailboxAuditLog
    For more information about the Search-MailboxAuditLog cmdlet, go to the following Microsoft TechNet website:
    Search-MailboxAuditLog
  • Search one or more mailboxes asynchronously. To do this, run the following cmdlet in Windows Remote PowerShell:
    New-MailboxAuditLogSearch
    For more information about the New-MailboxAuditLogSearch cmdlet, go to the following Microsoft TechNet website:
    New-MailboxAuditLogSearch
For more information about the default mailbox audit logging entries, go to the "Mailbox audit log entries" section of the following Microsoft TechNet website:
Mailbox Audit Logging

Customizing a search

In Office 365 dedicated and ITAR, mailbox audit logging entries are retained in the mailbox for 90 days. You are prompted to indicate a start date and end date for the search. You can use several optional parameters to customize the search. For a description of these parameters, see the "More Information" section.

If items are found after the script runs, you receive a message that resembles the following:

Collapse this imageExpand this image
Screen shot of the result after running the script


This example message indicates that the search process has found 11 entries. By default, the FolderBind entries are filtered out, and the following operation types remain:
  • Copy
  • Create
  • HardDelete
  • MessageBind
  • Move
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • SoftDelete
  • Update
Note The FolderBind operation indicates the times at which the mailbox is accessed by a non-owner. This is the most common operation. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted.

Review the output of the .csv file. The most useful columns are exported, and some of these columns are merged to make the output easier to review. For more information about the columns that are exported, see the "More Information" section.

More information

Run-MailboxAuditLogSearcher script

To use the Run-MailboxAuditLogSearcher script in step 1 of the procedure in the "Resolution" section, copy the following code into a text file.

param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$Mailbox, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$StartDate, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$EndDate, [PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)] [string]$Subject, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$IncludeFolderBind, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$ReturnObject) BEGIN { [string[]]$LogParameters = @("Operation", "LogonUserDisplayName", "LastAccessed", "DestFolderPathName", "FolderPathName", "ClientInfoString", "ClientIPAddress", "ClientMachineName", "ClientProcessName", "ClientVersion", "LogonType", "MailboxResolvedOwnerName", "OperationResult") } END { if ($ReturnObject) {return $SearchResults} elseif ($SearchResults.count -gt 0) { $Date = get-date -Format yyMMdd_HHmmss $OutFileName = "AuditLogResults$Date.csv" write-host write-host -fore green "Posting results to file: $OutfileName" $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8 } } PROCESS { write-host -fore green "Searching Mailbox Audit Logs..." $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000) write-host -fore green "$($SearchREsults.Count) Total entries Found" if (-not $IncludeFolderBind) { write-host -fore green "Removing FolderBind operations." $SearchResults = @($SearchResults | ? {$_.Operation -notlike "FolderBind"}) write-host -fore green "Filtered to $($SearchREsults.Count) Entries" } $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(" ")}}}, @{Name='CrossMailboxOp';e={if (@("SendAs","Create","Update") -contains $_.Operation) {"N/A"} else {$_.CrossMailboxOperation}}})) $LogParameters = @("Subject") + $LogParameters + @("CrossMailboxOp") If ($Subject -ne "" -and $Subject -ne $null) { write-host -fore green "Searching for Subject: $Subject" $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject}) write-host -fore green "Filtered to $($SearchREsults.Count) Entries" } $SearchResults = @($SearchResults | select $LogParameters) }

Optional script parameters

The following list describes optional parameters that generate different results when they are used together with the Run-MailboxAuditLogSearcher script:
  • IncludeFolderBind: When you use this switch, the FolderBind operation is not filtered from the output. You can use FolderBind information to investigate mailbox access issue.

    For example, the following cmdlet searches the "Test User 1" mailbox and includes all operations:

    /.Run-MailboxAuditLogSearcher.ps1 -IncludeFolderBind -Mailbox "< Test User 1 >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"
  • Subject: When you use this switch, you can specify the subject of an item in order to limit the search for operations that are performed on that item.

    For example, the following cmdlet filters out all output except items that have the subject set as "Good News":

    /.Run-MailboxAuditLogSearcher.ps1 -Subject "< Good News >" -Mailbox "< test1@contoso.com >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"
  • ReturnObject: When you use this switch, the result is displayed on the screen, but it is not exported to a .csv file.

    For example, the following cmdlet displays the output on the screen:

    /.Run-MailboxAuditLogSearcher.ps1 -ReturnObject -Mailbox "< Test User 1 >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"

Exported columns from the .csv file

The most useful columns of the .csv file are exported. Some of these columns are merged to make the output easier to review. The following table lists the columns that are exported.
Collapse this tableExpand this table
ColumnsDescription
Subject Subject of item
OperationActions that are performed on items
LogonUserDisplayNameDisplay name of user who is logged on
LastAccessedTime at which the operation was performed
DestFolderPathNameDestination folder for the move operation
FolderPathNamePath of folder
ClientInfoStringDetails about the client that performs the operation
ClientIPAddressIP address for the client computer
ClientMachineNameName of the client computer
ClientProcessNameName of the client application process
ClientVersionVersion of the client application
LogonTypeLogon type of the user who performs the operation

Note Logon types includes the following:
  • Delegate for non-owner
  • Administrator
  • Mailbox owner (not logged by default)
MailboxResolvedOwnerNameResolved name of mailbox user

Note Resolved name is in the following format:
Domain\SamAccountName
OperationResultStatus of the operation

Note Operation results include the following:
  • Failed
  • PartiallySucceeded
  • Succeeded
CrossMailboxOperationInformation about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages among mailboxes)

Properties

Article ID: 2792663 - Last Review: March 18, 2014 - Revision: 9.0
Keywords: 
vkbportal226 kbgraphxlink KB2792663

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com