Search audit logs for mailbox access.

Hi,

Welcome to Microsoft Q&A community.

Checking Mailbox Access Audit Logs

To check audit logs for mailbox access, you can use both the GUI (Security & Compliance Center) and PowerShell commands. Here’s how you can do it:

Using the GUI (Security & Compliance Center)

Access the Security & Compliance Center:

Go to the Microsoft 365 Security & Compliance Center.

Sign in with your admin credentials.

Navigate to Audit Log Search:

In the left pane, select Audit.

Click on Audit log search.

Search for Mailbox Access:

In the search box, enter the email address [email protected].

Set the date range to cover the period when access was provided.

Under Activities, select Mailbox activities.

Click on Search to view the results.

Review and Export Results:

Review the search results for any mailbox access activities.

You can export the results to a CSV file for further analysis.

Using PowerShell

Connect to Exchange Online:

Connect-ExchangeOnline -UserPrincipalName [email protected]

Search Mailbox Audit Logs:

$StartDate = (Get-Date).AddMonths(-2)
$EndDate = Get-Date
Search-MailboxAuditLog -Identity [email protected] -LogonTypes Admin,Delegate -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 | Export-CSV C:\temp\MailboxAuditLog.csv -NoTypeInformation -Encoding UTF8

Explanation of the PowerShell Command:

Connect-ExchangeOnline: Connects to Exchange Online.

Search-MailboxAuditLog: Searches the mailbox audit logs for the specified mailbox.

-Identity [email protected]: Specifies the mailbox to search.

-LogonTypes Admin,Delegate: Filters the logon types to admin and delegate access.

-StartDate and -EndDate: Defines the date range for the search.

-ResultSize 5000: Limits the number of results to 5000.

Export-CSV: Exports the results to a CSV file.