How to Audit Shared Mailbox Activity in Microsoft 365

Shared mailbox investigations fall apart when administrators only check mailbox permissions. Permission tells you who could act. Audit data tells you who likely did act.

Quick answer: Search mailbox audit activity by mailbox, date range, operation, and user. Compare SendAs, SendOnBehalf, HardDelete, SoftDelete, Move, MoveToDeletedItems, and folder activity with the users who have mailbox permissions.

Baseline the mailbox

Connect-ExchangeOnline

Get-MailboxPermission shared@company.com | Where-Object {$_.User -notlike 'NT AUTHORITY*'}
Get-RecipientPermission shared@company.com
Get-Mailbox shared@company.com | Format-List AuditEnabled,AuditOwner,AuditDelegate,AuditAdmin

This gives you the access picture. It does not prove which user moved or deleted a specific message.

Audit search approach

Use the Microsoft Purview audit portal when available. For command-line triage, search the unified audit log around the time the action occurred.

$start = (Get-Date).AddDays(-7)
$end = Get-Date
Search-UnifiedAuditLog -StartDate $start -EndDate $end `
  -RecordType ExchangeItem `
  -Operations Move,SoftDelete,HardDelete,SendAs,SendOnBehalf `
  -ResultSize 5000

What to collect for the ticket

Mailbox address.
Approximate date and time.
Subject, sender, recipient, or InternetMessageId.
Folder path before and after, if known.
User who reported the issue.
Current delegate list.

How to read results

Field	Meaning
UserIds	User account associated with the audited action.
Operations	Move, delete, send, update, or other action type.
AuditData	JSON payload with mailbox, folder, item, and client details.
ClientIP	Useful for risky sign-in correlation, not proof by itself.

Practical limitation

Audit records are not a perfect forensic system. Retention windows, licensing, delayed ingestion, client behavior, and mailbox rules can complicate the story. The right output is a timeline with confidence level, not a guess.

Operator tip: Always check mailbox rules and transport rules before blaming a delegate for “missing” mail.

About the author

Jason Purvis works in enterprise monitoring and IT operations, with hands-on experience across ServiceNow ITOM/Event Management, SolarWinds-style infrastructure monitoring, Microsoft 365 operations, alert routing, and incident process improvement.