Migrating Search-MailboxAuditLog to Search-UnifiedAuditLog for Shared Mailboxes

Question

With the accouncement that Microsoft is deprecating several modules and replacing them with Get-UnifiedAuditLog, I have started migrating our legacy scripts. One script is to see everyone who sent as a shared mailbox for the past month. Here is the legacy code:

$Params = @{
    Identity = $SharedMailbox
    StartDate = (Get-Date ((Get-Date).AddDays(-3)) -Format "MM/dd/yyyy")
    EndDate = (Get-Date -Format "MM/dd/yyyy")
    ShowDetails = $true
    ResultSize = 5000
}
$MailboxAuditLog = Search-MailboxAuditLog @Params | Where-Object Operation -eq 'SendAs' | Select-Object LogonUserDisplayName,ItemSubject,LastAccessed

This has worked great because it allows you to query directly by using the shared mailbox. From what I can see about Search-UnifiedAuditLog, however, is that you need to query by using the users who sent the message. I was planning on querying the mailbox to get the users with Send As permission, search for their logs, and only return records with the shared mailbox. This however seems like jumping through several hoops. For example, it takes the following code just to see a shared mailbox:

$Results = Search-UnifiedAuditLog -StartDate 2/26/2024 -EndDate 3/1/2024 -ResultSize 1 -RecordType ExchangeItem -Operations SendAs
($Results.AuditData | ConvertFrom-Json).SendAsUserSmtp

If possible, I would like to avoid creating such complicated filters by looking for all emails sent by all users with Send As permissions. From what I can see online unfortunately that is all I have found. Does anybody know of a way to query a shared mailbox directly, to see which users sent as that mailbox?

Answer 1

Use Search-UnifiedAuditLog -FreeText attribute

See the link below.

Search the audit log to investigate common support issues
https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#search-for-mailbox-activities-performed-in-a-specific-mailbox-including-shared-mailboxes

Answer 2

The user Blue Tongue provided the correct answer: the -FreeText paramater. I verified that as the solution, but I will provide my code so somebody in the future can get the help they need.

$Params = @{
    StartDate = (Get-Date ((Get-Date).AddDays(-30)) -Format "MM/dd/yyyy")
    EndDate = (Get-Date ((Get-Date).AddDays(1)) -Format "MM/dd/yyyy")
    FreeText = (Get-Mailbox $SharedMailbox).ExchangeGuid
    RecordType = 'ExchangeItem'
    SessionCommand = 'ReturnLargeSet'
    ResultSize = 5000
}
$UnifiedAuditLog = Search-UnifiedAuditLog @Params
$ObjectData = $UnifiedAuditLog | foreach-object {
    $AuditData = $psitem.AuditData | ConvertFrom-Json
    [pscustomobject]@{
        SenderEmail = $AuditData.UserId
        Subject = $AuditData.Item.Subject
        SentDateTimeUTC = $psitem.CreationDate
        Identity = $psitem.Identity
    }
}
$Output = $ObjectData | Sort-Object Identity | Get-Unique -AsString | Select-Object SenderEmail,Subject,SentDateTimeUTC

I received too much data because it appears that Search-UnifiedAuditLog returns a value for each recipient, while Get-MailboxAuditLog returns one per sent email. To have the data match the previous script, I added the Identity property, sorted it and got the unique values, and returned the output to a new variable. I'm sure it can be improved, but it worked for me so I figured I would share.

Answer 3

Slightly off topic but I am not finding any other good posts on the subject. This definitely got me somewhere but I just don't see the same events with Search-UnifiedAuditLog versus Search-MailboxAuditLog and I suspect that MS is asking us to stop using Search-MailboxAuditLog but not fully replacing all functionality.

The first command only returns create and sendas events. The second returns those and softdeletes. (I am actually looking for harddeletes but regardless.

free text is the MB guid

Search-UnifiedAuditLog -EndDate $now -StartDate $then -FreeText 494a05a8-aa23-4b07-8244-5f4bf15895cd -ResultSize 5000 -SessionCommand 'ReturnLargeSet' -RecordType exchangeitem | ft Operations

Search-MailboxAuditLog -Identity 'same shared mailbox' -ShowDetails -StartDate $then -EndDate $now | ft operation