powershellexchange-online

Migrating Search-MailboxAuditLog to Search-UnifiedAuditLog for Shared Mailboxes


With the accouncement that Microsoft is deprecating several modules and replacing them with Get-UnifiedAuditLog, I have started migrating our legacy scripts. One script is to see everyone who sent as a shared mailbox for the past month. Here is the legacy code:

$Params = @{
    Identity = $SharedMailbox
    StartDate = (Get-Date ((Get-Date).AddDays(-3)) -Format "MM/dd/yyyy")
    EndDate = (Get-Date -Format "MM/dd/yyyy")
    ShowDetails = $true
    ResultSize = 5000
}
$MailboxAuditLog = Search-MailboxAuditLog @Params | Where-Object Operation -eq 'SendAs' | Select-Object LogonUserDisplayName,ItemSubject,LastAccessed

This has worked great because it allows you to query directly by using the shared mailbox. From what I can see about Search-UnifiedAuditLog, however, is that you need to query by using the users who sent the message. I was planning on querying the mailbox to get the users with Send As permission, search for their logs, and only return records with the shared mailbox. This however seems like jumping through several hoops. For example, it takes the following code just to see a shared mailbox:

$Results = Search-UnifiedAuditLog -StartDate 2/26/2024 -EndDate 3/1/2024 -ResultSize 1 -RecordType ExchangeItem -Operations SendAs
($Results.AuditData | ConvertFrom-Json).SendAsUserSmtp

If possible, I would like to avoid creating such complicated filters by looking for all emails sent by all users with Send As permissions. From what I can see online unfortunately that is all I have found. Does anybody know of a way to query a shared mailbox directly, to see which users sent as that mailbox?


Solution

  • Use Search-UnifiedAuditLog -FreeText attribute

    See the link below.

    Search the audit log to investigate common support issues
    https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-in-a-specific-mailbox-including-shared-mailboxes