How to investigate missing or unexpectedly updated mailbox items by using mailbox audit logging in Office 365 dedicated

Items in a mailbox are updated unexpectedly or items are missing from a mailbox in Microsoft Office 365 dedicated.
This issue occurs because items may be moved or deleted unexpectedly or incorrectly.
To resolve this issue, use the Run-MailboxAuditLogSearcher Windows PowerShell script, and customize a search. You can use this script to investigate actions that are performed by non-owners and administrators. This script will export content in a simplified, comma-separated values (.csv) file to help you troubleshoot reports about items that are missing or that are updated unexpectedly.

Important Customers are encouraged to use the script that is provided by Microsoft Online Services to help in certain investigations. Microsoft Online Services scripts are generic, and they are expected to be usable in all customer environments. If errors occur when a script is executed, the content of the script should be used as an example to create a customized script for a particular customer environment. Microsoft Online Services provides the script as a convenience to O365-D/ITAR customers without warranty, expressed or implied.

Step 1: Run the script

To run the Run-MailboxAuditLogSearcher script, follow these steps:
  1. Start Notepad, and then copy the code from the "More Information" section into the Notepad file.
  2. On the File menu, click Save As.
  3. In the Save as type box, click All Files.
  4. In the File name box, type Run-MailboxAuditLogSearcher.ps1, and then click Save.
  5. Start Windows PowerShell, and then connect to Windows Remote PowerShell.
  6. Locate the directory in which you saved the script, and then run the script.

    • If you run the script without parameters, you are prompted for the following default parameters:
      • Mailbox
      • StartDate
      • EndDate
    • To search for entries from the current day, add one day to the end-date value in the prompt window. For example, if the current date is March 14, 2012, and you want to include the current day in your search, enter 4/15/2012 as the end date.

Step 2: Customize a mailbox audit log search

Mailbox audit logging

Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators. Mailbox audit logging is available to members of the Audit Reporting Mailbox self-service group only by using Windows Remote PowerShell.

Note By default, only non-owner mailbox audit logging is enabled, and owner mailbox audit logging is disabled. If you have to perform owner mailbox audit logging to investigate a specific issue, you can be temporarily enable the process for a two-week period.

To search mailbox audit log entries, as appropriate for your situation, use one of the following methods:
  • Search a single mailbox synchronously. To do this, run the following cmdlet in Windows Remote PowerShell:
    For more information about the Search-MailboxAuditLog cmdlet, go to the following Microsoft TechNet website:
  • Search one or more mailboxes asynchronously. To do this, run the following cmdlet in Windows Remote PowerShell:
    For more information about the New-MailboxAuditLogSearch cmdlet, go to the following Microsoft TechNet website:
For more information about the default mailbox audit logging entries, go to the "Mailbox audit log entries" section of the following Microsoft TechNet website:

Customizing a search

In Office 365 dedicated and ITAR, mailbox audit logging entries are retained in the mailbox for 90 days. You are prompted to indicate a start date and end date for the search. You can use several optional parameters to customize the search. For a description of these parameters, see the "More Information" section.

If items are found after the script runs, you receive a message that resembles the following:

Screen shot of the result after running the script

This example message indicates that the search process has found 11 entries. By default, the FolderBind entries are filtered out, and the following operation types remain:
  • Copy
  • Create
  • HardDelete
  • MessageBind
  • Move
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • SoftDelete
  • Update
Note The FolderBind operation indicates the times at which the mailbox is accessed by a non-owner. This is the most common operation. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted.

Review the output of the .csv file. The most useful columns are exported, and some of these columns are merged to make the output easier to review. For more information about the columns that are exported, see the "More Information" section.
More information

Run-MailboxAuditLogSearcher script

To use the Run-MailboxAuditLogSearcher script in step 1 of the procedure in the "Resolution" section, copy the following code into a text file.

param ([PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$Mailbox, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$StartDate, [PARAMETER(Mandatory=$TRUE,ValueFromPipeline=$FALSE)] [string]$EndDate, [PARAMETER(Mandatory=$FALSE,ValueFromPipeline=$FALSE)] [string]$Subject, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$IncludeFolderBind, [PARAMETER(Mandatory=$False,ValueFromPipeline=$FALSE)] [switch]$ReturnObject) BEGIN { [string[]]$LogParameters = @("Operation", "LogonUserDisplayName", "LastAccessed", "DestFolderPathName", "FolderPathName", "ClientInfoString", "ClientIPAddress", "ClientMachineName", "ClientProcessName", "ClientVersion", "LogonType", "MailboxResolvedOwnerName", "OperationResult") } END { if ($ReturnObject) {return $SearchResults} elseif ($SearchResults.count -gt 0) { $Date = get-date -Format yyMMdd_HHmmss $OutFileName = "AuditLogResults$Date.csv" write-host write-host -fore green "Posting results to file: $OutfileName" $SearchResults | export-csv $OutFileName -notypeinformation -encoding UTF8 } } PROCESS { write-host -fore green "Searching Mailbox Audit Logs..." $SearchResults = @(search-mailboxAuditLog $Mailbox -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000) write-host -fore green "$($SearchREsults.Count) Total entries Found" if (-not $IncludeFolderBind) { write-host -fore green "Removing FolderBind operations." $SearchResults = @($SearchResults | ? {$_.Operation -notlike "FolderBind"}) write-host -fore green "Filtered to $($SearchREsults.Count) Entries" } $SearchResults = @($SearchResults | select ($LogParameters + @{Name='Subject';e={if (($_.SourceItems.Count -eq 0) -or ($_.SourceItems.Count -eq $null)){$_.ItemSubject} else {($_.SourceItems[0].SourceItemSubject).TrimStart(" ")}}}, @{Name='CrossMailboxOp';e={if (@("SendAs","Create","Update") -contains $_.Operation) {"N/A"} else {$_.CrossMailboxOperation}}})) $LogParameters = @("Subject") + $LogParameters + @("CrossMailboxOp") If ($Subject -ne "" -and $Subject -ne $null) { write-host -fore green "Searching for Subject: $Subject" $SearchResults = @($SearchResults | ? {$_.Subject -match $Subject -or $_.Subject -eq $Subject}) write-host -fore green "Filtered to $($SearchREsults.Count) Entries" } $SearchResults = @($SearchResults | select $LogParameters) }

Optional script parameters

The following list describes optional parameters that generate different results when they are used together with the Run-MailboxAuditLogSearcher script:
  • IncludeFolderBind: When you use this switch, the FolderBind operation is not filtered from the output. You can use FolderBind information to investigate mailbox access issue.

    For example, the following cmdlet searches the "Test User 1" mailbox and includes all operations:

    /.Run-MailboxAuditLogSearcher.ps1 -IncludeFolderBind -Mailbox "< Test User 1 >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"
  • Subject: When you use this switch, you can specify the subject of an item in order to limit the search for operations that are performed on that item.

    For example, the following cmdlet filters out all output except items that have the subject set as "Good News":

    /.Run-MailboxAuditLogSearcher.ps1 -Subject "< Good News >" -Mailbox "< >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"
  • ReturnObject: When you use this switch, the result is displayed on the screen, but it is not exported to a .csv file.

    For example, the following cmdlet displays the output on the screen:

    /.Run-MailboxAuditLogSearcher.ps1 -ReturnObject -Mailbox "< Test User 1 >" -StartDate "< 09/10/12 >" -EndDate "< 09/27/12 >"

Exported columns from the .csv file

The most useful columns of the .csv file are exported. Some of these columns are merged to make the output easier to review. The following table lists the columns that are exported.
Subject Subject of item
OperationActions that are performed on items
LogonUserDisplayNameDisplay name of user who is logged on
LastAccessedTime at which the operation was performed
DestFolderPathNameDestination folder for the move operation
FolderPathNamePath of folder
ClientInfoStringDetails about the client that performs the operation
ClientIPAddressIP address for the client computer
ClientMachineNameName of the client computer
ClientProcessNameName of the client application process
ClientVersionVersion of the client application
LogonTypeLogon type of the user who performs the operation

Note Logon types includes the following:
  • Delegate for non-owner
  • Administrator
  • Mailbox owner (not logged by default)
MailboxResolvedOwnerNameResolved name of mailbox user

Note Resolved name is in the following format:
OperationResultStatus of the operation

Note Operation results include the following:
  • Failed
  • PartiallySucceeded
  • Succeeded
CrossMailboxOperationInformation about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages among mailboxes)
Exc o365d o365i

Article ID: 2792663 - Last Review: 06/29/2015 07:07:00 - Revision: 12.0

  • vkbportal226 kbgraphxlink KB2792663