TenLens
Back to script library
Entra / Microsoft 365 · Compliance & audit

Report restore recoverable items audit

Needs connection to Exchange Online and Azure AD.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline -ShowBanner:$false

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [int] $LookbackDays = 90,
    [string] $StartDate = (Get-Date).AddDays(-$LookbackDays) ; $EndDate = Get-Date,
    [string] $EndDate = (Get-Date)
)
 
$Records = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations Restore-RecoverableItems -ResultSize 3000)
If ($Records.Count -eq 0) {
    Write-Host "No audit records for restore deleted items found." }
Else {
    CLS
    $Report = [System.Collections.Generic.List[Object]]::new() # Create output file
    ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $TimeStamp   = Get-Date($AuditData.CreationTime) -format g
      $TargetMailbox = ($Auditdata.Parameters | ?{$_ -Match "Identity"}).Value
      # Audit record holds Azure AD account identifier (GUID) for target mailbox, so translate it - but sometimes the record holds a mailbox alias.
      If (-not($TargetMailbox -Like "*.*"))   {
          $TargetMailbox = Get-AzureADUser -ObjectId $TargetMailbox | Select -ExpandProperty UserPrincipalName }
      $SourceFolder = ($Auditdata.Parameters | ?{$_ -Match "SourceFolder"}).Value
      If ($SourceFolder -eq $Null) { $SourceFolder = "Recoverable Items" }
      $EntryID = ($Auditdata.Parameters | ?{$_ -Match "EntryID"}).Value
      $SearchStart = ($Auditdata.Parameters | ?{$_ -Match "FilterStartTime"}).Value
      $SearchEnd  = ($Auditdata.Parameters | ?{$_ -Match "FilterEndTime"}).Value
      $ReportLine = [PSCustomObject] @{
           TimeStamp     = $TimeStamp
           User          = $AuditData.UserId
           TargetMailbox = $TargetMailbox
           EntryID       = $EntryID
           SourceFolder  = $SourceFolder
           SearchStart   = $SearchStart
           SearchEnd     = $SearchEnd
            }
      $Report.Add($ReportLine) }
}
 
$SortedDate = @{e={$_.TimeStamp -as [DateTime]}; descending = $True}
$Report = $Report |  Sort EntryId -Unique # Get rid of duplicate records
$Report | Sort $SortedDate | Format-Table TimeStamp, User, TargetMailbox, SourceFolder

Parameters

ParameterDefaultNotes
-LookbackDays90Number of days back to search the unified audit log.
-StartDate(Get-Date).AddDays(-90) ; $EndDate = Get-DateStart of the reporting window.
-EndDate(Get-Date)End of the reporting window.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.