How to Check Who Deleted Emails from Shared Mailbox in Microsoft 365

With multiple users having access to Microsoft 365 shared mailboxes, the risk of important emails disappearing is a real challenge. A single missing email can disrupt client interactions or halt progress in collaborative projects. Therefore, this blog will show you how to monitor shared mailbox email deletion to identify who deleted important emails and when.

When it comes to overseeing shared mailbox activities, it’s important to track email deletions to keep your emails secure. If you’re wondering how to know if someone deleted email in Outlook, you should check the following operations that help you trace shared mailbox email deletions effectively.

• MoveToDeletedItems – Emails moved to deleted items folder in shared mailbox
• SoftDelete – Messages are removed from Deleted Items yet remain recoverable
• HardDelete – Emails are permanently deleted from the Recoverable Items folder

Unfortunately, Microsoft Purview audit search can’t filter these email deletion events separately for shared mailboxes. Instead, you can use Search-UnifiedAuditLog cmdlet from Exchange Online module in PowerShell to audit email deletions. However, this method also lacks a direct way to filter shared mailbox email deletions. Additionally, it requires careful implementation to avoid data loss and session timeout errors.

To simplify this process, we’ve developed a PowerShell script that enhances email deletion auditing in shared mailboxes and helps you manage shared mailboxes effectively.

Download Script: AuditEmailDeletionsInSharedMB.ps1

• The script automatically verifies and installs the Exchange Online PowerShell module (if not installed already) upon your confirmation.
• Allows to track all shared mailbox email deletions.
• Tracks email deletions from a specific shared mailbox.
• Allows you to generate a shared mailbox email deletion audit report for a custom period.
• The script can be executed with MFA enabled account too.
• Exports a specific user’s email deletions activities in shared mailboxes.
• Filters deleted emails from shared mailbox by its subject.
• It exports the report result to CSV format.
• It can be executed with Certificate-based Authentication (CBA) too.
• The script is scheduler friendly.

The exported ‘shared mailbox email deletion’ report looks like the screenshot below.

The exported report contains Activity Time, Target Mailbox, Deleted By, Type of Deletion, No. of Emails Deleted, Email Subjects, Folder, Result Status and other Audit Info.

1. Download the script.
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account.

This script generates the audit report of all email deletion activities in shared mailboxes across your tenant over the past 180 days.

Method 2: Execute the script by explicitly mentioning credentials.

The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy to make this work.

Method 3: Run the script using certificate-based authentication.

To use certificate-based authentication, you must register the app in Entra ID which helps you to connect Exchange Online using certificate. Depending on the requirements, you can use either CA certificates or create self-signed certificates.

You can also schedule this script using Task Scheduler or Azure Automation to periodically export deleted emails from shared mailbox.

This PowerShell script helps to trace deleted emails in shared mailbox by enabling the following operations.

1. Track shared mailbox email deletions for a custom period.
2. Monitor email deletion events from a specific shared mailbox.
3. Find deleted emails by their subject.
4. Audit email deletion activities by a specific user in shared mailboxes.
5. Audit Shared Mailbox Email Deletions More Granularly

While this script has the capability to export data for the past 180 days, you can filter and export results for a specific shorter span. To achieve this, utilize the –StartDate and –EndDate parameters. In case of a security incident, analyzing email deletion activities around the time of the incident can help identify potential issues.

The execution of the above format will export the shared mailbox email deletion audit log for the period from 31st January 2025 to 28th February 2025.

If an email goes missing from a critical shared mailbox and you may suspect it was deleted, either accidentally or intentionally. In such case, it’s essential to narrow down the search for the specific shared mailbox.

To see who deleted the emails from a specific shared mailbox, run the script using the -SharedMBIdentity parameter.

The above format retrieves the deleted emails from the ‘support’ shared mailbox for the last 180 days.

Tip: It’s recommended to view shared mailbox delegates and ensure that only the necessary users have access. Based on this review, you can add or remove delegates as needed to maintain security and control.

Searching through deleted emails becomes more efficient when you filter by subject content. To find deleted conversation threads containing a specific subject, execute the script with -Subject parameter.

The above example will list all the deleted emails, which have ‘confidential’ in their subject. This helps you to quickly restore deleted emails that contain sensitive information before they permanently disappear from the recoverable items folder.

If you want to track a specific delegate’s email deletion activities across shared mailboxes, you can run the script with the -UserId parameter.

The above format exports emails deleted by the user “Amy” from all the shared mailboxes.

The executions provided so far offer valuable insights into shared mailbox email deletions for different scenarios. However, the script’s potential goes further. By merging multiple parameters, you can generate precise and customized reports that meet your specific needs. Here are a few examples of these granular audit reports.

• To monitor email deletions by a specific user in a shared mailbox, use the below execution.
  
  .\AuditEmailDeletionsInSharedMB.ps1 -UserId amy@contoso.com -SharedMBIdentity support@contoso.com

  1	.\AuditEmailDeletionsInSharedMB.ps1 -UserId amy@contoso.com -SharedMBIdentity support@contoso.com

  This format will export the emails deleted by “Amy” in the “support” shared mailbox over the last 180 days.
• To track emails with a specific subject that were deleted from a shared mailbox, run the script as shown below.
  
  .\AuditEmailDeletionsInSharedMB.ps1 -Subject “confidential” -SharedMBIdentity support@contoso.com

  1	.\AuditEmailDeletionsInSharedMB.ps1 -Subject “confidential” -SharedMBIdentity support@contoso.com

  This format retrieves emails with the subject “confidential” that were deleted from the “support” shared mailbox.
• To retrieve the deleted emails from a specific shared mailbox within a custom time range, use the execution provided below.
  
  .\AuditEmailDeletionsInSharedMB.ps1 -SharedMBIdentity support@contoso.com -StartDate 01/31/2025 -EndDate 02/28/2025

  1	.\AuditEmailDeletionsInSharedMB.ps1 -SharedMBIdentity support@contoso.com -StartDate 01/31/2025 -EndDate 02/28/2025

  The above execution will export the emails deleted in the “support” shared mailbox from 31st Jan 2025 to 28th Feb 2025.

Similarly, you can combine multiple parameters to retrieve more granular audit reports.

We hope this blog has provided valuable insights into enhancing your shared mailbox management and protecting critical communications in Exchange Online. By following Exchange Online best practices, you can prevent unnecessary email deletions by enforcing proper mailbox folder permission. If you have any questions, feel free to share them in the comments section. Stay tuned for more updates!