Analyzing Exchange Message Delete Events in the Office 365 Audit Log

Discovering Who Deleted What Message and When

Last year, I wrote about how to use events recorded in the Office 365 audit log to find out who deleted a message from an Exchange Online mailbox. Time marches on and we can make some improvements to the script.

This version also uses the techniques explained in Chapter 21 of the Office 365 for IT Pros eBook to fetch audit records with PowerShell and unpack the JSON-format information included in the records to retrieve information of interest. The major changes are:

• Include processing for records deleted by users (the normal case) and administrative tasks. These include messages deleted by compliance search actions and the Search-Mailbox cmdlet.
• Because admin deletions generate a different format of audit record, we need some conditional processing to extract the desired information. Although Office 365 audit records are normalized in terms of the basic fields they contain, dealing with differences in the AuditData content is one of the frustrating parts of dealing with Office 365 audit records.
• One of the steps taken for admin deletions is to retrieve the User Principal Name for the mailbox where a message is deleted. The audit record stores a GUID to point to the mailbox, but that’s not very human-friendly.
• Include the internet message identifier in the output.
• Pipe the report to the Out-GridView cmdlet to view the data after processing the records (Figure 1). You could also pipe the data to the Export-CSV cmdlet to create a CSV file.

# Look for Hard delete and soft delete records
$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(1) -Operations "HardDelete", "SoftDelete" -ResultSize 5000)
If ($Records.Count -eq 0) {
    Write-Host "No message delete records found." }
Else {
    Write-Host "Processing" $Records.Count "audit records..."
$Report = @()
ForEach ($Rec in $Records) {
  $AuditData = ConvertFrom-Json $Rec.Auditdata
  If ($AuditData.Folder.Path -ne $Null) { $Folder = $AuditData.Folder.Path.Split("\")[1]} Else {$Folder = "Unknown"}
  If ($AuditData.LogonType -eq 1) { # Admin deleted the message
     $Mbx = Get-Mailbox -Identity $AuditData.MailboxGuid -ErrorAction SilentlyContinue
     $Msg = "No message identifier"
     $Mailbox = $Mbx.UserPrincipalName }
     Else { # User deleted the message
      $Msg =  $AuditData.AffectedItems.InternetMessageId
      $Mailbox = $AuditData.MailboxOwnerUPN } 
  $ReportLine = [PSCustomObject]@{
    TimeStamp = Get-Date($AuditData.CreationTime) -format g
    User      = $AuditData.UserId
    Action    = $AuditData.Operation
    Status    = $AuditData.ResultStatus
    Mailbox   = $Mailbox
    Items     = $AuditData.AffectedItems.Subject
    Folder    = $Folder
    MsgId     = $Msg }
  $Report += $ReportLine
}}
$Report | Out-GridView

Remember that control over the capture of audit records for message deletions depends on the audit configuration applied to Exchange Online mailboxes. If the configuration doesn’t include hard and soft deletions, you won’t see events turn up in the Office 365 audit log. In most cases, the audit configuration only captures message deletions by delegates who access shared mailboxes.

Finding a Copy of a Deleted Message

The reason to include the internet message identifier in the set of properties returned for deleted messages is that you might have a situation where multiple messages have the same subject and you can’t identify who deleted what copy of the message. The problem can be solved if the mailbox where the messages were stored is on hold. Exchange will keep a copy of the deleted message in the Recoverable Items folder. That copy is discoverable, so we can run a content search to find the message and then download it to check its properties, including the internet message identifier. It would be easier if Microsoft included details of the original message sender in the properties captured in the audit record, but that’s unlikely in the near future.