PowerShell: Find Who Moved or Deleted an Email in Microsoft 365

When a user says “an email disappeared,” you need to separate mailbox rules, client behavior, delegate action, retention, and actual deletion.

Quick answer: Collect the message details, search audit records for move and delete operations, compare mailbox rules and delegates, then document a timeline with evidence.

Information to collect first

Mailbox address.
Approximate time the message was last seen.
Subject, sender, recipient, and date.
Whether it was in Inbox, subfolder, Deleted Items, or archive.
Whether delegates or shared mailbox users had access.

PowerShell audit starter

Connect-ExchangeOnline

$start = (Get-Date).AddDays(-14)
$end = Get-Date

Search-UnifiedAuditLog -StartDate $start -EndDate $end `
  -Operations Move,MoveToDeletedItems,SoftDelete,HardDelete `
  -ResultSize 5000 | Select-Object CreationDate,UserIds,Operations,AuditData

Check mailbox rules

Get-InboxRule -Mailbox user@company.com | Format-Table Name,Enabled,Priority,From,SubjectContainsWords,MoveToFolder,DeleteMessage

A rule can move mail before the user sees it. Always check rules before escalating as suspicious activity.

Check delegates

Get-MailboxPermission user@company.com | Where-Object {$_.User -notlike 'NT AUTHORITY*'}
Get-RecipientPermission user@company.com

Evidence notes

Do not overstate the result. A log showing a user action is strong evidence. A lack of log results is not proof nothing happened. Audit ingestion delays and retention windows matter.

Ticket wording: “Audit records show the message was moved by [user] at [time]” is better than “user deleted it” unless the operation specifically shows deletion.

About the author

Jason Purvis works in enterprise monitoring and IT operations, with hands-on experience across ServiceNow ITOM/Event Management, SolarWinds-style infrastructure monitoring, Microsoft 365 operations, alert routing, and incident process improvement.