Audit Email Deletion in Office 365: Find Out Who Deleted an Email from a Mailbox 

Most admins wonder how to find out who deleted an email from a mailbox? If you are one of them, this blog is for you.  

 

How to Determine If a User Deleted Email Items: 

Users delete the emails either by accident or on purpose. As an admin, you can use the audit log to identify deleted emails in Office 365. Microsoft has turned on mailbox audit logging by default for certain actions from Jan 2019. If your tenant has created before 2019 or you want to audit all the mailbox actions, you must enable mailbox auditing through PowerShell. 

To track the deleted email, you need to filter out the audit log for the following actions, which are audited by default: 

MoveToDeletedItems – Moved emails to deleted items. 

SoftDelete – Deleted message from deleted items folder 

HardDelete – Purged messages from Recoverable Items folder 

 

How to Find Out Who Deleted Email from a Mailbox? 

You can use either Audit log search (UI) or PowerShell to see who deleted an email in Outlook. 

Audit log search: In the audit log search, you can filter out the above-mentioned ‘message delete events’ to track the deleted emails. Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like email subject, folder, and result status at a glance. Those attributes are formatted as a JSON object, which needs to be parsed for further information.   

PowerShell: You can use Search-UnifiedAuditLogSearch cmdlet to audit email deletion. But, retrieving audit logs using PowerShell has more challenges. For example, if you don’t retrieve the audit logs properly, you will end up with data loss and session time out error. So, you are required to spend more time optimizing the PowerShell code. 

To ease your work, we have created a PowerShell script to investigate email deletion issues more efficiently. 

 

Download Script: AuditDeletedEmails.ps1 

 

Script Highlights: 
  • The script uses modern authentication to retrieve audit logs. 
  • The script can be executed with MFA enabled account too.   
  • Exports report results to CSV file.   
  • Allows you to track all the deleted emails. 
  • Helps to find out who deleted email from a shared mailbox. 
  • Allows you to generate an email deletion audit report for a custom period.   
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.  
  • The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

Audit Email Deletion Report – Sample Output: 

The exported report contains Email Deletion Time, Type of Deletion, Target Mailbox, Deleted By, No. of Emails Deleted, Email Subjects, Folder, Result Status and other Audit Info.

Audit email deletion

 

Audit Deleted Emails in Office 365 – Script Execution 

To run the script, you can choose any one of the below methods.     

Method 1: Execute script with MFA and non-MFA account       

 

Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).   

If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

More use-cases of ‘Audit Deleted Emails’ PowerShell script: 

The script supports the following in-built params to schedule and generate more granular report. 

  1. Mailbox –> Gets deleted emails from a specific mailbox 
  2. Subject –> Identifies deleted emails by subject. 
  3. StartDate and EndDate –> Generates audit report for a custom period 
  4. UserName and Password–> Schedules the PowerShell script without interactive login. 

By using above-mentioned params, I have formed few use-cases of this script below, 

  • Track all the deleted emails – Who deleted what message and when 
  • How to find out who deleted emails from a shared mailbox 
  • Audit deleted emails from a specific mailbox 
  • Find deleted emails by their subject 
  • Audit email deletion for custom period 
  • Schedule ‘Deleted email audit report’ 
  • Get a monthly report on deleted emails 

 

Track All the Deleted Emails – Who Deleted What Message and When: 

Users might delete or move critical business emails to deleted items unknowingly. So, admins need to identify the Exchange emails that were deleted or moved to deleted items in their organization. 

By default, the script will track all the deleted emails in the last 90 days. 

The exported audit report provides a clear view of who deleted the email, from which mailbox, what message, and when. By referring to this report, admins can recover the deleted emails based on the requirement. 

 

How to Find out Who Deleted Emails from Shared mailbox: 

Since the shared mailboxes can be accessed by multiple users (I.e., shared mailbox delegates), it’s necessary to identify the user who has deleted an email from a shared mailbox. To view who have permission on shared mailboxes, you can refer our blog post on get shared mailbox delegates. 

To track who deleted emails from a shared mailbox, run the script with –Mailbox param.

The exported report shows the deleted emails in ‘Marketing@contoso.com’ mailbox for the past 90 days.

 

Audit Who Deleted Emails from a Specific Mailbox: 

An organization may have requirements to allow some users to access another user’s mailbox. So, the emails can be deleted by mailbox delegates and owners. You can generate a mailbox permission report to know the mailbox delegates.  

To audit email deletion in a specific mailbox, run the script with –Mailbox param. 

The above example retrieves the deleted emails from the John’s mailbox for the last 90 days. 

 

Find Deleted Emails by Subject: 

If you want to find an important email from the pool of deleted emails, you can filter out the emails by subject (a word or phrase that the subject contains).  

To identify deleted emails by subject, run the script with –Subject param as follows, 

It will list all the deleted emails, which have ‘status’ in their subject. 

 

Audit Email Deletion for a Custom Period: 

By default, the script will generate the audit report for the past 90 days. If you want to generate an email audit report for a specific time range, you can run the script with –StartDate and –EndDate params. 

The above format gets all the emails deleted between July 25, 2021, and Aug 01, 2021. 

 

This example retrieves all the deleted emails from John’s mailbox between July 15, 2021, and July 30, 2021. 

 

Schedule ‘Deleted Emails Audit Report’: 

Since the ‘Search-UnifiedAuditLog‘ can keep an audit log for 90 days, you may require old data for analysis.

In that case, scheduling will help you to keep the audit log for a longer period. To run this script as PowerShell scheduled task, you can use the below format in the Windows Task Scheduler.

 

Note: You might have read our earlier blog post on “Office 365 keeps audit log for 365 days for all the subscriptions”. But we haven’t retrieved 365 days of audit data in this script. We will update our script once Microsoft announces it officially.

 

Get a Monthly Report on Email Deletion: 

To get a monthly report on deleted emails, run the script as follows, 

You can also use the above format to get scheduled monthly report. 

 

I hope this blog will you to identify who deleted an email from a mailbox. If you find any user’s activity suspicious, you can monitor the user’s activity to protect your organization from malicious intent.