🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Audit Bulk Email Deletions in Microsoft 365

Delegated access to an Exchange mailbox is a double-edged sword. It enhances collaboration but can also leads to accidental or even intentional email deletions. Events like these raise security concerns and emphasize the need to track email actions to find who deleted emails in Outlook. If you're an admin struggling to audit email deletions in Office 365, our guide is a one-stop shop.

Native Solution

Microsoft 365 Permission Required

High

Global Admin or any other privileged admin.

Option 1 Using Microsoft 365 Purview Portal

  • Login to the Microsoft 365 Purview portal and go to the Audit tab.
  • Select the required date and time range.
  • Choose the following operations in the Activities - operation names field.

    MoveToDeletedItems, SoftDelete, HardDelete

  • Now, run Search.
    search-criteria
  • Once the search is completed, you can see the results of Exchange email deletions. Export the results to get audit email deletions report in your organization.
    purview-solution

Option 2 Using Windows PowerShell

  • Connect to Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell
     Connect-ExchangeOnline
  • Run the following command with the appropriate start date and end date to find all emails deleted in Office 365 using PowerShell.
  • Windows PowerShell Windows PowerShell
     Search-UnifiedAuditLog -StartDate "<MM/DD/YYYY hh:mm tt>" -EndDate "<MM/DD/YYYY hh:mm tt>" -Operations SoftDelete, HardDelete, MoveToDeletedItems |ft
Using Windows PowerShell

Option 3 Using PowerShell Script

  • While the above PowerShell cmdlet gives audit data about emails deleted in Outlook, you can’t quickly obtain the required information such as email subject, folder, and result status.
  • Since this data is formatted as a JSON object, several filters are needed to extract it. So, we developed a PowerShell script to export email deletion audit data.
  • This script helps you to find out who deleted emails from shared mailboxes or a specific mailbox along with information like email subject, email folder with a custom time period.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Any user with report access assigned by Super Admin

StepsUsing AdminDroid

ad
  • Login to the AdminDroid Office 365 reporter.
  • Navigate to Bulk Message Operations report under Audit»Exchange»Mailbox Operations.
  • Use the easy filter option and set the following conditions in the Performed Operation field to get the Office 365 deleted email report along with bulk email deletions.

    Moved messages to Deleted Items folder, Deleted messages from Deleted Items folder, Purged messages from the mailbox

Using AdminDroid

Gain in-depth details about emails deleted in Outlook, offering insights into the performed operation, performer, timestamp, target mailbox, target folder path, and more.

chart-view
  • Utilize advanced built-in charts to visualize daily or hourly email deletion activity trends in your Microsoft 365 environment.

See who deleted emails in Outlook and stay secure!

Don't overlook suspicious email deletion activities! Ensure robust control over Exchange email deletions using AdminDroid.

Witness the report in action using the

Important Tips

Ensure that single item recovery is enabled for all the mailboxes to recover any accidentally deleted emails from a designated recovery folder for a specific period.

Configure multi-factor authentication for user accounts to add an extra layer of security and prevent unauthorized access to email accounts even if passwords are compromised.

Implement litigation hold for users suspected of wrongdoing to ensure the preservation and availability of their emails for future investigations even if the user deletes them.

Exchange OnlineFind out Who Deleted Emails from Mailboxes in Microsoft 365

Showing 1 of 5

What happens when you delete an email message from the Exchange mailbox?

When you delete an email in Exchange Online, the process and consequences are as below.

  • Moves to Deleted Items When an email is simply deleted from a mailbox folder, this will move messages to Deleted Items folder. The email remains there until you either manually delete it or it is automatically removed by retention policies.
  • Soft Deletion If you delete emails from any folder using the combination of Shift + Delete keys, or if you simply delete an email from the Deleted Items folder, it will be moved to the deletions folder in the Recoverable Items.
  • Hard Deletion In the Recoverable Items folder, Exchange Online retains deleted items for 14 days by default. This retention period can be increased to a maximum of 30 days. After this period, the email will be purged and moved to the purges folder, making it invisible to users. Users have the option to recover or purge emails before the configured retention time expires.

To change how long deleted items are kept in Outlook, run the following cmdlet in the Exchange Online PowerShell.

Set-Mailbox -Identity <User’s UPN> -RetainDeletedItemsFor <Days>

You can use AdminDroid’s Mailbox Retention Settings report to determine the deleted item’s retention duration for all the mailboxes in your Microsoft 365 tenant.

  • With this report, you can check the deleted item retention duration, applied retention policies, and other related metrics for all Exchange Online mailboxes.
mailbox-retention-settings-report

Handy Hint: Use the Advanced Customization option to apply filters to the report, sort data, and select specific columns for enhanced visibility. You can also create a custom view and save it for future use.

Does the retention policy delete emails in Microsoft 365?

Yes, the retention policies in Exchange Online can automatically delete emails based on the criteria defined in the policy. In essence, retention policies are designed to manage the lifecycle of content in Microsoft 365 by retaining, archiving, or deleting the content after some period.

By default, the policy named Default MRM Policy is applied to all the mailboxes in your Exchange Online environment. But it is not configured to delete any emails from the mailbox. However, custom retention policies created by admins, or the modified default policy can potentially mass delete emails if configured to do so.

Is it possible to audit emails deleted by the retention policy?

Unfortunately, auditing the deletion of emails by retention policies isn't feasible. As it's an automated process, Microsoft bypasses recording these deletions in the purview audit logs.

What are the benefits and purposes of auditing bulk email deletions?

Auditing bulk email deletions in Microsoft 365 provides the ability to monitor and track large-scale deletions of emails by users.

  • By monitoring these deletions, organizations can identify unusual patterns or suspicious behaviors that may indicate a security breach or other malicious activities.
  • Auditing bulk email deletion enables timely intervention, reduces the risk of data loss, and strengthens overall email security measures.
  • Since users typically don't mass delete emails except during storage crises, identifying such deletions helps in finding the reasons behind them and providing such users with suitable retention policy.

For monitoring email deletions in Microsoft 365, it's essential to ensure that audit log is enabled for all mailboxes in your Microsoft 365 tenant.

To simplify this process, use AdminDroid's Exchange mailbox audit settings report to verify if the audit log is enabled or bypassed for the mailboxes.

  • Using this collection of reports, you can obtain detailed lists of audit-enabled mailboxes and audit-disabled mailboxes separately.
  • Additionally, AdminDroid provides detailed information to identify auditable admin actions, auditable delegate actions, and auditable mailbox owner actions.
audit-enabled-mailboxes-report

Handy Hint: Use the Email this report now option to send reports directly in your preferred format from your authorized email ID to your chosen recipients.

How to recover deleted emails from Exchange Online?

To find and recover deleted emails in Microsoft Outlook, follow the steps.

  • Login to the Outlook web application and go to the Deleted Items folder.
  • Locate the email you wish to restore, right-click on the message, and select the Restore option to restore it.

Note: If you have already deleted the message from this folder or if you have used Shift + Delete for a direct soft delete or if any retention policy has configured soft deletion, the email will be moved to the Recoverable Items.

To restore the soft deleted emails from the Recoverable Items in Outlook, do the following steps.

  • Choose the Recover items deleted from this folder option from the top of the deleted items folder.
  • Find and right-click the particular message, then select the Restore option to restore the message.

Is it possible to recover permanently deleted emails from Outlook?

If the emails are hard deleted (deleted from Recoverable Items in Outlook), they are moved to the Purges folder, which is not visible to users. Admins can recover permanently deleted emails in Outlook 365 if the single item recovery is enabled for that mailbox.

Restore hard deleted emails from the purges folder

As an admin, you possess the capability to recover the hard deleted emails in Office 365 using Exchange admin center.

  • Under the Recipients tab, select the Mailboxes section in the Exchange admin center.
  • From the list of mailboxes, find and click on the mailbox from which you want to recover deleted items.
  • Go to the Others tab and choose the Recover deleted items option.
  • Select the respective mails and click the Recover deleted items button.
recover-deleted-emails

Note: This action requires the admin to have the Mailbox Import Export permission. If you don’t have it, use the Exchange admin center to create role groups with the Mailbox Import Export permission.

Enabling single item recovery in Exchange Online

  • To check whether the single item recovery is enabled or not, use the following command.
    Get-Mailbox -Identity <Mailbox UPN> | Select SingleItemRecoveryEnabled
  • If the execution retrieves true, then single item recovery is enabled for the specified mailbox; if it retrieves false, single item recovery is disabled.
  • If single item recovery is disabled, you can enable it using the following command to recover any future hard deletions.
    Set-Mailbox -Identity <Mailbox UPN> -SingleItemRecoveryEnabled $true

How to find out who deleted an email from a shared mailbox in Office 365?

Since shared mailboxes are configured for access among multiple users, there's an increased risk of accidental or anonymous email deletions. Therefore, it's crucial to find out who deleted emails from a shared mailbox for efficient workflow management and to potentially retrieve lost emails.

While shared mailboxes pose risks due to their broad accessibility, users with delegated access are also susceptible to such unauthorized email deletion issues. However, the risk is generally lower in user mailboxes with limited delegate permissions.

How to see who deleted an email in Outlook?

The process to track who deleted emails from the shared mailbox or user mailbox remains the same. To track who deleted emails from a specific Exchange Online mailbox, run the AuditDeletedEmails.ps1 script with 'Mailbox' parameter.

.\AuditDeletedEmails.ps1 -Mailbox <Mailbox UPN>

AdminDroid Exchange Online ReporterAudit email deletions to take control of your security!

The AdminDroid Exchange Online auditing tool offers valuable insights and provides control over Microsoft 365 deleted emails across your environment. This empowers you in any investigations if any suspicious email deletions are found.

Explore detailed analytics on email deletions with AdminDroid

Bulk Message Operations report under the Audit»Exchange»Mailbox Operations gives a clear picture of emails deleted in Outlook. It includes metrics such as deletion time, the person who deleted the email, whose email was deleted, the mail's folder path, IP address, and more.

A Quick Summary

Get notified when an email is deleted

Receive immediate alerts when an Exchange email deletion occurs to stay informed, proactive, and safeguard important data.

Monitor EXO inbox rules that auto-delete emails

Frequently audit Exchange Online inbox rules to identify any configurations that automatically delete emails to prevent unintended deletions.

Optimize email deletion audit with advanced filters

Customize the report with rich filters to easily identify and track specific email deletion activities within the required time range.

A complete overview of mailbox retention settings

Regularly track non-owner mailbox access and revoke access for stale or unwanted users based on the insights to prevent any careless email deletions.

Gain granular insights into mailbox permissions

Identify Exchange Online mailbox permission changes to find anonymous access rights and prevent unauthorized email deletions from shared or other users' mailboxes.

Obtain up-to-date info on Exchange Online email deletions

Schedule the email deletions report and get them delivered via emails at predefined intervals for a daily or weekly review for proactive monitoring.

In conclusion, AdminDroid's Exchange Online management simplifies email deletion audits with advanced filters, customization, and graphical visualization. Leveraging AdminDroid’s features, admins can stay proactive and make Microsoft 365 management easier.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps in Auditing Email Deletion in Microsoft 365

Below is a list of possible errors and their corresponding solutions when auditing email deletions in Microsoft 365.

Error: The value of properties 'RetainDeletedItemsFor' exceeds the maximum allowed for user 'X' with license 'Y'.

This error occurs when the specified 'RetainDeletedItemsFor' value exceeds the maximum permissible days (30).

Troubleshooting hint :Ensure that the entered 'RetainDeletedItemsFor' value does not exceed 30 days.

Set-Mailbox –Identity <Mailbox UPN> -RetainDeletedItemsFor 30

Error: You do not have permission to edit this resource.

This error occurs when attempting to recover deleted items without the mailbox import export permission.

Troubleshooting hint :Assign the mailbox import export permission to the admin responsible for exporting the purged emails. Allow approximately 1 hour for the changes to take effect.

Error: Microsoft.Exchange.Configuration.Tasks.ThrowTerminatingErrorException|The compliance search object "X" already exists within your organization.

This error arises when using an already used name for a compliance search.

Troubleshooting hint :Ensure each compliance search has a unique name to avoid conflicts with existing search objects in the organization.

Error: WARNING: The command completed successfully, but no settings for 'X' were modified.

This warning occurs when the single item recovery state remains unchanged after executing the Set-Mailbox cmdlet.

Troubleshooting hint :Before modifying the single item recovery state for a mailbox, check its current state using the following cmdlet.

Get-Mailbox -Identity <Mailbox UPN> | Select SingleItemRecoveryEnabled

Error: Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes.

This error occurs when you haven't been assigned the eDiscovery manager role required to perform content searches.

Troubleshooting hint :Ensure you have been assigned the eDiscovery manager role. If you've been recently assigned, wait for 15 minutes and try again.