With the accouncement that Microsoft is deprecating several modules and replacing them with Get-UnifiedAuditLog
, I have started migrating our legacy scripts. One script is to see everyone who sent as a shared mailbox for the past month. Here is the legacy code:
$Params = @{
Identity = $SharedMailbox
StartDate = (Get-Date ((Get-Date).AddDays(-3)) -Format "MM/dd/yyyy")
EndDate = (Get-Date -Format "MM/dd/yyyy")
ShowDetails = $true
ResultSize = 5000
}
$MailboxAuditLog = Search-MailboxAuditLog @Params | Where-Object Operation -eq 'SendAs' | Select-Object LogonUserDisplayName,ItemSubject,LastAccessed
This has worked great because it allows you to query directly by using the shared mailbox. From what I can see about Search-UnifiedAuditLog
, however, is that you need to query by using the users who sent the message. I was planning on querying the mailbox to get the users with Send As permission, search for their logs, and only return records with the shared mailbox. This however seems like jumping through several hoops. For example, it takes the following code just to see a shared mailbox:
$Results = Search-UnifiedAuditLog -StartDate 2/26/2024 -EndDate 3/1/2024 -ResultSize 1 -RecordType ExchangeItem -Operations SendAs
($Results.AuditData | ConvertFrom-Json).SendAsUserSmtp
If possible, I would like to avoid creating such complicated filters by looking for all emails sent by all users with Send As permissions. From what I can see online unfortunately that is all I have found. Does anybody know of a way to query a shared mailbox directly, to see which users sent as that mailbox?
Use Search-UnifiedAuditLog -FreeText attribute
See the link below.
Search the audit log to investigate common support issues
https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-in-a-specific-mailbox-including-shared-mailboxes