🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Audit Bulk Email Deletions in Microsoft 365

Delegated access to an Exchange mailbox is a double-edged sword. It enhances collaboration but can also leads to accidental or even intentional email deletions. Events like these raise security concerns and emphasize the need to track email actions to find who deleted emails in Outlook. If you're an admin struggling to audit email deletions in Office 365, our guide is a one-stop shop.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Purview Portal

Microsoft 365 Permission Required
Global Admin or any other privileged admin.
  • Login to the Microsoft 365 Purview portal and go to the Audit tab.
  • Select the required date and time range.
  • Choose the following operations in the Activities - operation names field.

    MoveToDeletedItems, SoftDelete, HardDelete

  • Now, run Search.
    search-criteria
  • Once the search is completed, you can see the results of Exchange email deletions. Export the results to get audit email deletions report in your organization.
    purview-solution

Using Windows PowerShell

Microsoft 365 Permission Required
Global Admin or any other privileged admin.
  • Connect to Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the following command with the appropriate start date and end date to find all emails deleted in Office 365 using PowerShell.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "<MM/DD/YYYY hh:mm tt>" -EndDate "<MM/DD/YYYY hh:mm tt>" -Operations SoftDelete, HardDelete, MoveToDeletedItems |ft
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Global Admin or any other privileged admin.
  • While the above PowerShell cmdlet gives audit data about emails deleted in Outlook, you can’t quickly obtain the required information such as email subject, folder, and result status.
  • Since this data is formatted as a JSON object, several filters are needed to extract it. So, we developed a PowerShell script to export email deletion audit data.
  • This script helps you to find out who deleted emails from shared mailboxes or a specific mailbox along with information like email subject, email folder with a custom time period.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AuditDeletedEmails.ps1
AdminDroid Exchange Online Reporter

Audit email deletions to take control of your security!

The AdminDroid Exchange Online auditing tool offers valuable insights and provides control over Microsoft 365 deleted emails across your environment. This empowers you in any investigations if any suspicious email deletions are found.

Get notified when an email is deleted

Receive immediate alerts when an Exchange email deletion occurs to stay informed, proactive, and safeguard important data.

Monitor EXO inbox rules that auto-delete emails

Frequently audit Exchange Online inbox rules to identify any configurations that automatically delete emails to prevent unintended deletions.

Optimize email deletion audit with advanced filters

Customize the report with rich filters to easily identify and track specific email deletion activities within the required time range.

A complete overview of mailbox retention settings

Regularly track non-owner mailbox access and revoke access for stale or unwanted users based on the insights to prevent any careless email deletions.

Gain granular insights into mailbox permissions

Identify Exchange Online mailbox permission changes to find anonymous access rights and prevent unauthorized email deletions from shared or other users' mailboxes.

Obtain up-to-date info on Exchange Online email deletions

Schedule the email deletions report and get them delivered via emails at predefined intervals for a daily or weekly review for proactive monitoring.

In conclusion, AdminDroid's Exchange Online management simplifies email deletion audits with advanced filters, customization, and graphical visualization. Leveraging AdminDroid’s features, admins can stay proactive and make Microsoft 365 management easier.

Explore a full range of reporting options
Download Live Demo

Important Tips

Ensure that single item recovery is enabled for all the mailboxes to recover any accidentally deleted emails from a designated recovery folder for a specific period.

Configure multi-factor authentication for user accounts to add an extra layer of security and prevent unauthorized access to email accounts even if passwords are compromised.

Implement litigation hold for users suspected of wrongdoing to ensure the preservation and availability of their emails for future investigations even if the user deletes them.

Common Errors and Resolution Steps

Below is a list of possible errors and their corresponding solutions when auditing email deletions in Microsoft 365.

Error The value of properties 'RetainDeletedItemsFor' exceeds the maximum allowed for user 'X' with license 'Y'.

This error occurs when the specified 'RetainDeletedItemsFor' value exceeds the maximum permissible days (30).

Fix Ensure that the entered 'RetainDeletedItemsFor' value does not exceed 30 days. 
Set-Mailbox –Identity <Mailbox UPN> -RetainDeletedItemsFor 30

Error You do not have permission to edit this resource.

This error occurs when attempting to recover deleted items without the mailbox import export permission.

Fix Assign the mailbox import export permission to the admin responsible for exporting the purged emails. Allow approximately 1 hour for the changes to take effect.

Error Microsoft.Exchange.Configuration.Tasks.ThrowTerminatingErrorException|The compliance search object "X" already exists within your organization.

This error arises when using an already used name for a compliance search.

Fix Ensure each compliance search has a unique name to avoid conflicts with existing search objects in the organization.

Error WARNING: The command completed successfully, but no settings for 'X' were modified.

This warning occurs when the single item recovery state remains unchanged after executing the Set-Mailbox cmdlet.

Fix Before modifying the single item recovery state for a mailbox, check its current state using the following cmdlet. 
Get-Mailbox -Identity <Mailbox UPN> | Select SingleItemRecoveryEnabled

Error Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes.

This error occurs when you haven't been assigned the eDiscovery manager role required to perform content searches.

Fix Ensure you have been assigned the eDiscovery manager role. If you've been recently assigned, wait for 15 minutes and try again.
Exchange Online
Frequently Asked Questions

Find out Who Deleted Emails from Mailboxes in Microsoft 365

What happens when you delete an email message from the Exchange mailbox?
Does the retention policy delete emails in Microsoft 365?
What are the benefits and purposes of auditing bulk email deletions?
How to recover deleted emails from Exchange Online?
How to find out who deleted an email from a shared mailbox in Office 365?

1. What happens when you delete an email message from the Exchange mailbox?

When you delete an email in Exchange Online, the process and consequences are as below.

  • Moves to Deleted Items When an email is simply deleted from a mailbox folder, this will move messages to Deleted Items folder. The email remains there until you either manually delete it or it is automatically removed by retention policies.
  • Soft Deletion If you delete emails from any folder using the combination of Shift + Delete keys, or if you simply delete an email from the Deleted Items folder, it will be moved to the deletions folder in the Recoverable Items.
  • Hard Deletion In the Recoverable Items folder, Exchange Online retains deleted items for 14 days by default. This retention period can be increased to a maximum of 30 days. After this period, the email will be purged and moved to the purges folder, making it invisible to users. Users have the option to recover or purge emails before the configured retention time expires.

To change how long deleted items are kept in Outlook, run the following cmdlet in the Exchange Online PowerShell.

Set-Mailbox -Identity <User’s UPN> -RetainDeletedItemsFor <Days>

You can use AdminDroid’s Mailbox Retention Settings report to determine the deleted item’s retention duration for all the mailboxes in your Microsoft 365 tenant.

  • With this report, you can check the deleted item retention duration, applied retention policies, and other related metrics for all Exchange Online mailboxes.
mailbox-retention-settings-report

Handy Hint: Use the Advanced Customization option to apply filters to the report, sort data, and select specific columns for enhanced visibility. You can also create a custom view and save it for future use.

2. Does the retention policy delete emails in Microsoft 365?

Yes, the retention policies in Exchange Online can automatically delete emails based on the criteria defined in the policy. In essence, retention policies are designed to manage the lifecycle of content in Microsoft 365 by retaining, archiving, or deleting the content after some period.

By default, the policy named Default MRM Policy is applied to all the mailboxes in your Exchange Online environment. But it is not configured to delete any emails from the mailbox. However, custom retention policies created by admins, or the modified default policy can potentially mass delete emails if configured to do so.

Is it possible to audit emails deleted by the retention policy?

Unfortunately, auditing the deletion of emails by retention policies isn't feasible. As it's an automated process, Microsoft bypasses recording these deletions in the purview audit logs.

3. What are the benefits and purposes of auditing bulk email deletions?

Auditing bulk email deletions in Microsoft 365 provides the ability to monitor and track large-scale deletions of emails by users.

  • By monitoring these deletions, organizations can identify unusual patterns or suspicious behaviors that may indicate a security breach or other malicious activities.
  • Auditing bulk email deletion enables timely intervention, reduces the risk of data loss, and strengthens overall email security measures.
  • Since users typically don't mass delete emails except during storage crises, identifying such deletions helps in finding the reasons behind them and providing such users with suitable retention policy.

For monitoring email deletions in Microsoft 365, it's essential to ensure that audit log is enabled for all mailboxes in your Microsoft 365 tenant.

To simplify this process, use AdminDroid's Exchange mailbox audit settings report to verify if the audit log is enabled or bypassed for the mailboxes.

  • Using this collection of reports, you can obtain detailed lists of audit-enabled mailboxes and audit-disabled mailboxes separately.
  • Additionally, AdminDroid provides detailed information to identify auditable admin actions, auditable delegate actions, and auditable mailbox owner actions.
audit-enabled-mailboxes-report

Handy Hint: Use the Email this report now option to send reports directly in your preferred format from your authorized email ID to your chosen recipients.

4. How to recover deleted emails from Exchange Online?

To find and recover deleted emails in Microsoft Outlook, follow the steps.

  • Login to the Outlook web application and go to the Deleted Items folder.
  • Locate the email you wish to restore, right-click on the message, and select the Restore option to restore it.

Note: If you have already deleted the message from this folder or if you have used Shift + Delete for a direct soft delete or if any retention policy has configured soft deletion, the email will be moved to the Recoverable Items.

To restore the soft deleted emails from the Recoverable Items in Outlook, do the following steps.

  • Choose the Recover items deleted from this folder option from the top of the deleted items folder.
  • Find and right-click the particular message, then select the Restore option to restore the message.

Is it possible to recover permanently deleted emails from Outlook?

If the emails are hard deleted (deleted from Recoverable Items in Outlook), they are moved to the Purges folder, which is not visible to users. Admins can recover permanently deleted emails in Outlook 365 if the single item recovery is enabled for that mailbox.

Restore hard deleted emails from the purges folder

As an admin, you possess the capability to recover the hard deleted emails in Office 365 using Exchange admin center.

  • Under the Recipients tab, select the Mailboxes section in the Exchange admin center.
  • From the list of mailboxes, find and click on the mailbox from which you want to recover deleted items.
  • Go to the Others tab and choose the Recover deleted items option.
  • Select the respective mails and click the Recover deleted items button.
recover-deleted-emails

Note: This action requires the admin to have the Mailbox Import Export permission. If you don’t have it, use the Exchange admin center to create role groups with the Mailbox Import Export permission.

Enabling single item recovery in Exchange Online

  • To check whether the single item recovery is enabled or not, use the following command. 
    Get-Mailbox -Identity <Mailbox UPN> | Select SingleItemRecoveryEnabled
  • If the execution retrieves true, then single item recovery is enabled for the specified mailbox; if it retrieves false, single item recovery is disabled.
  • If single item recovery is disabled, you can enable it using the following command to recover any future hard deletions. 
    Set-Mailbox -Identity <Mailbox UPN> -SingleItemRecoveryEnabled $true

5. How to find out who deleted an email from a shared mailbox in Office 365?

Since shared mailboxes are configured for access among multiple users, there's an increased risk of accidental or anonymous email deletions. Therefore, it's crucial to find out who deleted emails from a shared mailbox for efficient workflow management and to potentially retrieve lost emails.

While shared mailboxes pose risks due to their broad accessibility, users with delegated access are also susceptible to such unauthorized email deletion issues. However, the risk is generally lower in user mailboxes with limited delegate permissions.

How to see who deleted an email in Outlook?

The process to track who deleted emails from the shared mailbox or user mailbox remains the same. To track who deleted emails from a specific Exchange Online mailbox, run the AuditDeletedEmails.ps1 script with 'Mailbox' parameter.

.\AuditDeletedEmails.ps1 -Mailbox <Mailbox UPN>

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Audit Bulk Email Deletions in Microsoft 365
Exchange Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo