Most admins wonder how to find out who deleted an email from a mailbox? If you are one of them, this blog is for you.
How to Determine If a User Deleted Email Items:
Users delete the emails either by accident or on purpose. As an admin, you can use the audit log to identify deleted emails in Office 365. Microsoft has turned on mailbox audit logging by default for certain actions from Jan 2019. If your tenant has created before 2019 or you want to audit all the mailbox actions, you must enable mailbox auditing through PowerShell.
To track the deleted email, you need to filter out the audit log for the following actions, which are audited by default:
MoveToDeletedItems – Moved emails to deleted items.
SoftDelete – Deleted message from deleted items folder
HardDelete – Purged messages from Recoverable Items folder
How to Find Out Who Deleted Email from a Mailbox?
You can use either Audit log search (UI) or PowerShell to see who deleted an email in Outlook.
Audit log search: In the audit log search, you can filter out the above-mentioned ‘message delete events’ to track the deleted emails. Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like email subject, folder, and result status at a glance. Those attributes are formatted as a JSON object, which needs to be parsed for further information.
PowerShell: You can use Search-UnifiedAuditLogSearch cmdlet to audit email deletion. But, retrieving audit logs using PowerShell has more challenges. For example, if you don’t retrieve the audit logs properly, you will end up with data loss and session time out error. So, you are required to spend more time optimizing the PowerShell code.
To ease your work, we have created a PowerShell script to investigate email deletion issues more efficiently.
Download Script: AuditDeletedEmails.ps1
Script Highlights:
- The script uses modern authentication to retrieve audit logs.
- The script can be executed with MFA enabled account too.
- Exports report results to CSV file.
- Allows you to track all the deleted emails.
- Helps to find out who deleted email from a shared mailbox.
- Allows you to generate an email deletion audit report for a custom period.
- Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
- The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.
Audit Email Deletion Report – Sample Output:
The exported report contains Email Deletion Time, Type of Deletion, Target Mailbox, Deleted By, No. of Emails Deleted, Email Subjects, Folder, Result Status and other Audit Info.
Audit Deleted Emails in Office 365 – Script Execution
To run the script, you can choose any one of the below methods.
Method 1: Execute script with MFA and non-MFA account
1 |
.\AuditDeletedEmails.ps1 |
Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).
1 |
.\AuditDeletedEmails.ps1 -UserName admin@contoso.com -Password XXX |
If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
More use-cases of ‘Audit Deleted Emails’ PowerShell script:
The script supports the following in-built params to schedule and generate more granular report.
- Mailbox –> Gets deleted emails from a specific mailbox
- Subject –> Identifies deleted emails by subject.
- StartDate and EndDate –> Generates audit report for a custom period
- UserName and Password–> Schedules the PowerShell script without interactive login.
By using above-mentioned params, I have formed few use-cases of this script below,
- Track all the deleted emails – Who deleted what message and when
- How to find out who deleted emails from a shared mailbox
- Audit deleted emails from a specific mailbox
- Find deleted emails by their subject
- Audit email deletion for custom period
- Schedule ‘Deleted email audit report’
- Get a monthly report on deleted emails
Track All the Deleted Emails – Who Deleted What Message and When:
Users might delete or move critical business emails to deleted items unknowingly. So, admins need to identify the Exchange emails that were deleted or moved to deleted items in their organization.
By default, the script will track all the deleted emails in the last 90 days.
1 |
.\AuditDeletedEmails.ps1 |
The exported audit report provides a clear view of who deleted the email, from which mailbox, what message, and when. By referring to this report, admins can recover the deleted emails based on the requirement.
How to Find out Who Deleted Emails from Shared mailbox:
Since the shared mailboxes can be accessed by multiple users (I.e., shared mailbox delegates), it’s necessary to identify the user who has deleted an email from a shared mailbox. To view who have permission on shared mailboxes, you can refer our blog post on get shared mailbox delegates.
To track who deleted emails from a shared mailbox, run the script with –Mailbox param.
1 |
.\AuditDeletedEmails.ps1 -Mailbox Marketing@contoso.com |
The exported report shows the deleted emails in ‘Marketing@contoso.com’ mailbox for the past 90 days.
Audit Who Deleted Emails from a Specific Mailbox:
An organization may have requirements to allow some users to access another user’s mailbox. So, the emails can be deleted by mailbox delegates and owners. You can generate a mailbox permission report to know the mailbox delegates.
To audit email deletion in a specific mailbox, run the script with –Mailbox param.
1 |
.\AuditDeletedEmails.ps1 -Mailbox John@contoso.com |
The above example retrieves the deleted emails from the John’s mailbox for the last 90 days.
Find Deleted Emails by Subject:
If you want to find an important email from the pool of deleted emails, you can filter out the emails by subject (a word or phrase that the subject contains).
To identify deleted emails by subject, run the script with –Subject param as follows,
1 |
.\AuditDeletedEmails.ps1 -Subject “Status” |
It will list all the deleted emails, which have ‘status’ in their subject.
Audit Email Deletion for a Custom Period:
By default, the script will generate the audit report for the past 90 days. If you want to generate an email audit report for a specific time range, you can run the script with –StartDate and –EndDate params.
1 |
.\AuditDeletedEmails.ps1 -StartDate 7/25/21 -EndDate 8/01/21 |
The above format gets all the emails deleted between July 25, 2021, and Aug 01, 2021.
1 |
.\AuditDeletedEmails.ps1 -StartDate 7/15/21 -EndDate 7/30/21 -Mailbox John@contoso.com |
This example retrieves all the deleted emails from John’s mailbox between July 15, 2021, and July 30, 2021.
Schedule ‘Deleted Emails Audit Report’:
Since the ‘Search-UnifiedAuditLog‘ can keep an audit log for 90 days, you may require old data for analysis.
In that case, scheduling will help you to keep the audit log for a longer period. To run this script as PowerShell scheduled task, you can use the below format in the Windows Task Scheduler.
1 |
.\AuditDeletedEmails.ps1 -UserName admin@contoso.com -Password XXX |
Note: You might have read our earlier blog post on “Office 365 keeps audit log for 365 days for all the subscriptions”. But we haven’t retrieved 365 days of audit data in this script. We will update our script once Microsoft announces it officially.
Get a Monthly Report on Email Deletion:
To get a monthly report on deleted emails, run the script as follows,
1 |
.\AuditDeletedEmails.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserName admin@contoso.com -Password XXX |
You can also use the above format to get scheduled monthly report.
Audit Email Deletion in a More Effective Way:
By using PowerShell filters and conditions, admins can customize the script based on their needs. But, It requires a lot of time and PowerShell knowledge. With AdminDroid Office 365 auditing tool, you can get the reports in a few mouse clicks. Also, you can slice and dice the data by using contextual filters and graphs.
For example,
- When was the mail deleted? – You can select a specific date or week or a custom period.
- Who deleted emails? – You can filter out emails that are deleted by a specific user or list of users.
- What operation was performed? – You can identify deleted emails based on the deletion methods such as soft delete, hard delete, move to deleted items folder, etc.
- View deleted emails from a specific mailbox – You can find out who deleted an email from a specific mailbox.
The report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.
AdminDroid provides 1500+ pre-built reports and 20 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
Additionally, AdminDroid offers 100+ reports and dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting. Download Free Office 365 reporting tool by AdminDroid and see how it helps for you.
I hope this blog will you to identify who deleted an email from a mailbox. If you find any user’s activity suspicious, you can monitor the user’s activity to protect your organization from malicious intent.