Query on Audit Logs

Roger Roger 5,751

Hi All, i have a shared mailbox lets say smb@mydomain.com in exchange online. i have mailbox rules or outlook rules and one of the outlook rule was modified. i want to check in audit logs who modified the rule. please guide me

1 answer

Jake Zhang-MSFT 5,055 Reputation points Microsoft Vendor

2024-09-17T08:25:13.2133333+00:00
Hi @Roger Roger ,

Welcome to the Microsoft Q&A platform!

According to your description, to check who modified the mailbox rules in the shared mailbox in Exchange Online, you can use the audit log. Here is a step-by-step guide to help you:

By default, mailbox auditing is enabled for all mailboxes. You can verify this by running the following command in Exchange Online PowerShell:

Get-OrganizationConfig | Format-List AuditDisabled

If the value is False, it means that auditing is enabled.

Run an audit log search:

Open the Microsoft 365 Compliance Center.

Navigate to Solutions > Audit > Search.

Use the search parameters to specify the date range and mailbox (for example, smb@mydomain.com).

Find actions related to rule modifications.

You can also use PowerShell to search the audit log. Here is a sample script:

Search-MailboxAuditLog -Mailbox "smb@mydomain.com" -LogonTypes Owner -StartDate "2024-09-01" -EndDate "2024-09-17" -Operations UpdateInboxRule

This command searches for any updates to the Inbox rule within the specified date range.

The results will show who made the change, as well as the date and time of the modification.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Please sign in to rate this answer.
Roger Roger 5,751 Reputation points

2024-09-17T13:55:27.47+00:00

i am getting error when i execute the below syntaxes. i also want to fetch recently created inbox rules/updated rules/deleted rules..

Search-unifiedAuditLogs -Identity smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 50000 -ShowDetails | Export-Csv c:\temp\output.csv –NoTypeInformation -Encoding UTF8 Search-MailboxAuditLog -Identity smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 50000 -ShowDetails | Export-Csv c:\temp\output.csv –NoTypeInformation -Encoding UTF8

Jake Zhang-MSFT 5,055 Reputation points Microsoft Vendor

2024-09-18T06:09:51.55+00:00

Hi @Roger Roger ,

Thanks for your response!

Based on your description, you may be experiencing issues with the Search-UnifiedAuditLog and Search-MailboxAuditLog cmdlets. Here are some things to check and try:

Make sure you have the necessary permissions. For Search-UnifiedAuditLog, you need to be assigned the View-Only Audit Log or Audit Log role in Exchange Online.

The Search-UnifiedAuditLog cmdlet may require a SessionCommand parameter to handle large result sets. Try adding -SessionCommand ReturnLargeSet to your command.

If you hit the limit, consider breaking down the query into smaller time ranges. For example, you can run the query daily or hourly within the date range.

Make sure the cmdlet you are using is appropriate for your needs. Search-UnifiedAuditLog is for unified audit logs across multiple services, while Search-MailboxAuditLog is specific to mailbox audit logs. Here is an updated version of the command with the SessionCommand parameter:

Search-UnifiedAuditLog -Identity smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 50000 -SessionCommand ReturnLargeSet -ShowDetails | Export-Csv c:\temp\output.csv –NoTypeInformation -Encoding UTF8

If you continue to have issues, please provide the specific error message you see so I can troubleshoot further.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Roger Roger 5,751 Reputation points

2024-09-19T05:39:48.1566667+00:00

used the below syntax i am getting blank output, i have modified the rule and tested but output is blank.

Search-UnifiedAuditLog -userids smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 5000 -SessionCommand ReturnLargeSet | Export-Csv c:\temp\output.csv -NoTypeInformation -Encoding UTF8

Jake Zhang-MSFT 5,055 Reputation points Microsoft Vendor

2024-09-19T09:12:45.78+00:00

Hi @Roger Roger ,

Thanks for your response!

According to your description, you encountered a problem when using the Search-UnifiedAuditLog command.

Here is a slightly modified version of your command, see if that helps:

Search-UnifiedAuditLog -UserIds smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 5000 | Export-Csv -Path "C:\temp\output.csv" -NoTypeInformation -Encoding UTF8

If the problem persists, you may want to run the command without the Export-Csv portion first to see if that returns any results:

Search-UnifiedAuditLog -UserIds smb@mydomain.com -StartDate 08/15/2024 -EndDate 09/15/2024 -Operations UpdateInboxRule,New-InboxRule,Remove-InboxRule -ResultSize 5000

This will help determine if the problem is with the search or the export process.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Query on Audit Logs

1 answer

Your answer