🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Find Out Who Deleted an Email from a Mailbox in Exchange Online

Delegated access to an Exchange mailbox is a double-edged sword. It enhances collaboration but can also leads to accidental or even intentional email deletions. Events like these raise security concerns and emphasize the need to track email actions to find who deleted emails in Outlook. If you're an admin struggling to audit email deletions in Microsoft 365, our guide is a one-stop shop.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Track Who Deleted Emails Using Microsoft 365 Purview Portal

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • Login to the Microsoft 365 Purview portal and go to the Audit tab.
  • Select the required date and time range.
  • Choose the following operations in the Activities - operation names field.

    MoveToDeletedItems, SoftDelete, HardDelete

  • Now, run Search.
    email-deletion-serach-purview-portal
  • Once the search is completed, you can see the results of Exchange email deletions. Export the results to see who deleted an email in Outlook within your organization.
    emails-deleted-logs-purview-portal

Find Who Deleted Emails from Mailboxes Using PowerShell

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • Connect to Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the following command with the appropriate start date and end date to find all emails deleted in Office 365 using PowerShell.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "<MM/DD/YYYY hh:mm tt>" -EndDate "<MM/DD/YYYY hh:mm tt>" -Operations SoftDelete, HardDelete, MoveToDeletedItems |ft
Find Who Deleted Emails from Mailboxes Using PowerShell

Audit Email Deletions in Exchange Online Using PowerShell Script

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • While the above PowerShell cmdlet gives audit data about emails deleted in Outlook, you can’t quickly obtain the required information such as email subject, folder, and result status.
  • Since this data is formatted as a JSON object, several filters are needed to extract it. So, we developed a PowerShell script to export email deletion audit data.
  • This script helps you to find out who deleted emails from shared mailboxes or a specific mailbox along with information like email subject, email folder with a custom time period.
  • Download and run the following script in the Administrator PowerShell.
Audit Email Deletions in Exchange Online Using PowerShell Script
AuditDeletedEmails.ps1
AdminDroid Exchange Online Reporter

Audit Deleted Emails in Microsoft 365 to Take Control of Your Security!

AdminDroid's Exchange Online auditing tool offers valuable insights and provides control over deleted emails in Microsoft 365. This empowers you in any investigations if any suspicious email deletions are found.

Monitor EXO Inbox Rules That Auto-Delete Emails

Frequently audit Exchange Online inbox rules to identify any configurations that automatically delete emails to prevent unintended deletions.

Spot Holdbacks That Prevent Email Deletions

Identify holds on Exchange Online mailboxes to analyze retention behavior and understand why emails weren’t deleted as expected under normal deletion settings.

Optimize Email Deletion Audit With Advanced Filters

Customize the report with rich filters to easily identify and track specific email deletion activities within the required time range.

Monitor Non-Owner Mailbox Access to Prevent Mistakes

Regularly track non-owner mailbox access and revoke access for stale or unwanted users based on the insights to prevent any careless email deletions.

Gain Granular Insights Into Mailbox Permissions

Identify Exchange Online mailbox permission changes to find anonymous access rights and prevent unauthorized email deletions from shared or other users' mailboxes.

Track Recently Deleted Mailboxes in Exchange

Use the recently deleted mailboxes report to find out if missing emails are linked to mailbox deletions and take quick action to recover them.

In conclusion, AdminDroid's Exchange Online management simplifies email deletion audits with advanced filters, customization, and graphical visualization. Leveraging AdminDroid’s features, admins can stay proactive to Track Who Deleted Emails from Mailboxes and make Microsoft 365 management easier.

Explore a full range of reporting options
Download Live Demo

Important Tips

Adopt robust email security best practices to safeguard your Exchange Online inboxes from cyber threats and ensure your user's email communications remain secure.

Configure multi-factor authentication for user accounts to add an extra layer of security and prevent unauthorized access to email accounts even if passwords are compromised.

Apply litigation hold to prevent the permanent deletion of emails and other mailbox items in Exchange. This ensures they are retained for legal and compliance needs for a certain period, even if users delete them.

Common Errors and Resolution Steps

Below is a list of possible errors and their corresponding solutions when auditing email deletions in Microsoft 365.

Error The value of properties 'RetainDeletedItemsFor' exceeds the maximum allowed for user 'X' with license 'Y'.

This error occurs when the specified 'RetainDeletedItemsFor' value exceeds the maximum permissible days (30).

Fix Ensure that the entered 'RetainDeletedItemsFor' value does not exceed 30 days. 
Set-Mailbox –Identity "<MailboxUPN>" -RetainDeletedItemsFor 30

Error You do not have permission to edit this resource.

This error occurs when attempting to recover deleted items without the mailbox import export permission.

Fix Assign the Mailbox Import Export role to the admin responsible for restoring purged emails, and allow approximately 1 hour for the permission changes to take effect. To assign the permission using Exchange Online PowerShell, use the cmdlet below 
New-RoleGroup -Name "Mailbox Import Export Role" -Roles "Mailbox Import Export" -Members "<Admin'sUPN>"

Error Microsoft.Exchange.Configuration.Tasks.ThrowTerminatingErrorException|The compliance search object "X" already exists within your organization.

This error arises when using an already used name for a compliance search.

Fix Ensure each compliance search has a unique name to avoid conflicts with existing search objects in the organization.

Error WARNING: The command completed successfully, but no settings for 'X' were modified.

This warning occurs when the single item recovery state remains unchanged after executing the Set-Mailbox cmdlet.

Fix Before modifying the single item recovery state for a mailbox, check its current state using the following cmdlet. 
Get-Mailbox -Identity "<MailboxUPN>" | Select SingleItemRecoveryEnabled

Error Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes.

This error occurs when you haven't been assigned the eDiscovery manager role required to perform content searches.

Fix Ensure you have been assigned the eDiscovery manager role. If you've been recently assigned, wait for 15 minutes and try again. 
# To connect to Microsoft Purview (Compliance Center).
Connect-IPPSSession
# To check who is assigned to the eDiscovery Manager role group.
Get-RoleGroupMember -Identity "eDiscoveryManager" -ResultSize Unlimited
# To Add an admin to the eDiscovery Manager role group.
Add-RoleGroupMember -Identity "eDiscoveryManager" -Member "<Admin'sUPN>"
Exchange Online
Frequently Asked Questions

Find out Who Deleted Emails from Mailboxes in Microsoft 365

How to check who deleted emails from a shared mailbox in Microsoft 365?
What are the benefits and purposes of auditing bulk email deletions?
What happens when you delete an email message from the Exchange mailbox?
How to enable single item recovery for mailboxes in Microsoft 365?
How to recover deleted emails from Exchange Online?
Does the retention policy delete emails in Microsoft 365?

1. How to check who deleted emails from a shared mailbox in Microsoft 365?

Since shared mailboxes are configured for access among multiple users, there's an increased risk of accidental or anonymous email deletions. Therefore, it's crucial to find out who deleted emails from a shared mailbox for efficient workflow management and to potentially retrieve lost emails.

While shared mailboxes pose risks due to their broad accessibility, users with delegated access are also susceptible to such unauthorized email deletion issues. However, the risk is generally lower in user mailboxes with limited delegate permissions.

Find who deleted emails from a shared mailbox

Microsoft Purview audit search does not provide a direct way to filter email deletion events specifically for shared mailboxes. Even though you can use the Search-UnifiedAuditLog cmdlet to track deleted emails, it does not offer precise filtering for shared mailbox deletions and may lead to session timeouts or missed data if not used carefully.

As a result, to answer the question 'How to find out who deleted an email from a shared mailbox in Office 365?', we’ve developed a PowerShell script. This makes shared mailbox email deletion tracking easier and more reliable with accurate insights.

AuditEmailDeletionsInSharedMB.ps1
deleted-emails-in-shared-mailbox

2. What are the benefits and purposes of auditing bulk email deletions?

Auditing bulk email deletions in Microsoft 365 provides the ability to monitor and track large-scale deletions of emails by users.

  • By monitoring these deletions, organizations can identify unusual patterns or suspicious behaviors that may indicate a security breach or other malicious activities.
  • Auditing bulk email deletion enables timely intervention, reduces the risk of data loss, and strengthens overall email security measures.
  • Since users typically don't mass delete emails except during storage crises, identifying such deletions helps in finding the reasons behind them and providing such users with suitable retention policy.

For monitoring email deletions in Microsoft 365, it's essential to ensure that audit log is enabled for all mailboxes in your Microsoft 365 tenant.

To simplify this process, use AdminDroid's Exchange mailbox audit settings reports to verify if the audit log is enabled or disabled for the mailboxes.

  • Using this collection of reports, you can obtain detailed lists of audit-enabled mailboxes and audit-disabled mailboxes separately.
  • Additionally, AdminDroid provides detailed information to identify auditable admin actions, auditable delegate actions, and auditable mailbox owner actions.
audit-enabled-mailboxes-report

Handy Hint: Use the Email this report now option to send reports directly in your preferred format from your authorized email ID to your chosen recipients.

3. What happens when you delete an email message from the Exchange mailbox?

When you delete an email in Exchange Online, it goes through a retention process. This helps you understand how long Office 365 keeps deleted emails.

  • Moves to Deleted Items When an email is simply deleted from a mailbox folder, this will move messages to Deleted Items folder. The email remains there until you either manually delete it or it is automatically removed by retention policies.
  • Soft Deletion If you delete an email using Shift + Delete or remove it from the Deleted Items folder, it is moved to the Deletions subfolder under Recoverable Items (shown as Recoverable Items in the UI). Emails in this subfolder are retained in Exchange Online for 14 days by default (extendable to 30 days). During this period, users can recover or purge the emails before the retention time expires.
  • Hard Deletion Once the deleted item retention period configured for the mailbox expires, the email is purged and moved to the Purges subfolder within Recoverable Items, making it invisible to users. These emails can only be recovered by admins, and the recovery depends on other retention settings and configurations in place.

To change how long deleted items are kept in Outlook (Deletions subfolder), run the following cmdlet in the Exchange Online PowerShell.

Set-Mailbox -Identity "<User’sUPN>" -RetainDeletedItemsFor "<Days>"

Effortlessly track how long deleted items are kept in the Recoverable Items folder in Outlook for all mailboxes using AdminDroid!

  • The Mailbox Retention Settings report helps you determine the deleted item retention duration for all mailboxes in your Microsoft 365 tenant with intuitive charts.
  • In addition to deleted item retention period, the report provides insights into the applied retention policy, database retention default state, mailbox recipient type, and more
mailbox-retention-settings-report

Handy Hint: Use the Advanced Customization option to apply filters to the report, sort data, and select specific columns for enhanced visibility. You can also create a custom view and save it for future use.

4. How to enable single item recovery for mailboxes in Microsoft 365?

Single Item Recovery is essential for protecting your organization from data loss due to accidental or malicious deletions. When enabled, it ensures that even emails deleted form Recoverable Items\Deletions (shown as Recoverable Items in the Outlook UI) can still be recovered by admins. If this feature is not enabled, emails that reach the hard deletion stage become unrecoverable, even by admins.

By default, single item recovery is enabled for all Exchange Online mailboxes. If it's disabled, you can enable it using PowerShell as the Exchange admin center does not provide an option for this configuration.

Enable single item recovery in Exchange Online

  • To check whether the single item recovery is enabled or not, use the following command. 
    Get-Mailbox -Identity "<MailboxUPN>" | Select SingleItemRecoveryEnabled
    If the execution retrieves true, then single item recovery is enabled for the specified mailbox. If it retrieves false, single item recovery is disabled.
  • If single item recovery is disabled, you can enable it using the following command to recover any future hard deletions. 
    Set-Mailbox -Identity "<MailboxUPN>" -SingleItemRecoveryEnabled $true
  • If you want to ensure all users are protected against accidental or malicious email deletions, you can enable single item recovery in bulk using the following cmdlet. 
    Get-Mailbox -ResultSize Unlimited | Set-Mailbox -SingleItemRecoveryEnabled $true

5. How to recover deleted emails from Exchange Online?

To find and recover deleted emails in Microsoft 365, follow the steps.

  • Login to the Outlook web application and go to the Deleted Items folder.
  • Locate the email you wish to restore, right-click on the message, and select the Restore option to restore it.

If you have already deleted the message from this folder or if you have used Shift + Delete for a direct soft delete or if any retention policy has configured soft deletion, the email will be moved to the Recoverable Items. To restore the soft deleted emails from the Recoverable Items in Outlook, do the following steps.

  • Choose the Recover items deleted from this folder option from the top of the Deleted Items folder.
  • Find and right-click the particular message, then select the Restore option to restore the message.

Still no luck finding it? That likely means the email has entered the hard deleted state. This happens when the email is either permanently deleted by the user or automatically removed from the Recoverable Items\Deletions folder due to retention settings. At this stage, you might be asking: ‘Is it possible to recover permanently deleted emails from Outlook?’.

The good news is yes, recovery is still possible. When emails are hard deleted, they are moved to the Purges folder, which is not visible to users. Admins can recover permanently deleted emails if the single item recovery was enabled for the mailbox at the time the email was hard deleted.

Restore hard deleted emails from the purges folder

As an admin, you possess the capability to recover the hard deleted emails in Office 365 using Exchange admin center.

  • Under the Recipients tab, select the Mailboxes section in the Exchange admin center.
  • From the list of mailboxes, find and click on the mailbox from which you want to recover deleted items.
  • Go to the Others tab and choose the Recover deleted items option.
  • Select the respective mails and click the Recover deleted items button.
recover-deleted-emails

Note: This action requires the admin to have the Mailbox Import Export permission. If you don’t have it, use the Exchange admin center to create role groups with the Mailbox Import Export permission.

6. Does the retention policy delete emails in Microsoft 365?

Yes, the retention policies in Exchange Online can automatically delete emails based on the criteria defined in the policy. In essence, retention policies are designed to manage the lifecycle of content in Microsoft 365 by retaining, archiving, or deleting the content after some period.

By default, the policy named Default MRM Policy is applied to all the mailboxes in your Exchange Online environment. But it is not configured to delete any emails from the mailbox. However, custom retention policies created by admins, or the modified default policy can potentially mass delete emails if configured to do so.

Is it possible to audit emails deleted by the retention policy?

Unfortunately, auditing the deletion of emails by retention policies isn't feasible. As it's an automated process, Microsoft bypasses recording these deletions in the purview audit logs.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Find Out Who Deleted an Email from a Mailbox in Exchange Online
Exchange Online Guides 41 Guides
1Export Mailbox Size Quota in Exchange2Check Non-owner Mailbox Access in Microsoft 3653Get Microsoft 365 Mail Traffic Statistics by User4Check if Forwarding Rules are Active in Microsoft 3655Get Shared Mailbox Permissions in Exchange Online6Get a List of Inactive Mailboxes in Exchange Online7Check External Auto Forwarding in Microsoft 3658Export List of Mailboxes in Exchange Online9Export Exchange Online Mailbox Permissions10Find Unused Distribution Lists in Microsoft 36511Get a List of Shared Mailboxes in Exchange Online12Audit Mailbox Permission Changes in Microsoft 36513Get Shared Mailbox Size Report in Microsoft 36514Get Send on Behalf Permissions in EXO15Check Who Deleted an Email in Microsoft 36516Monitor Mailbox Folder Permission Changes in Exchange Online17Monitor Spam Detection Reports in M36518Identify Phishing Attacks in Microsoft 36519View All Inbox Rules in Microsoft 36520Get Email App Usage Report in Microsoft 36521Export Distribution Groups in Microsoft 36522Identify Holds Applied on EXO Mailboxes23Audit Transport Rule Changes in EXO24Get Mailbox Auto Reply Configurations in M36525Audit Quarantined Messages in Exchange Online26Monitor the Dynamic Distribution Groups in Exchange Online27Track Undelivered Emails in Microsoft 36528List All Email Addresses and Aliases in M36529Get Accepted Domains in Exchange Online30Audit Outbound External Emails in Microsoft 36531Export Microsoft 365 Malware Emails Report32Get ActiveSync Enabled Mailboxes in Exchange33Get DLP Email Matches in Exchange Online34Track Licensed Shared Mailboxes in Microsoft 36535Check Mailbox Retention Policy in M36536Track Guest Access to User Mailboxes in Microsoft 36537Identify Non-Compliant Shared Mailboxes in M36538List Archive Enabled Mailboxes in M36539Monitor Microsoft 365 Defender Configuration Changes40Track Mailbox Audit Bypass Configuration Changes in EXO41Check Mailboxes That Exceed Warning Quota in Exchange Online
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo