Getting Last LoggedOn User Account in Exchange Online Mailbox

 Office 365, Exchange Online, Perumal
Mar 25 2016

The attribute "LastLoggedOnUserAccount" holds the user account that last logged in to the particular mailbox. This parameter is returned for the cmdlet "Get-MailboxStatistics".

But this attribute is deprecated in Exchange Online. You can notice in the below screen-shot that the value is empty for this attribute.

In this article, we shall check how to get the last logged on user account on exchange online mailboxes using Search-MailboxAuditLog" exchange online cmdlet.

Get last logged on user for particular mailbox:
The below script get the get the last logged on user account for the mailbox

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Search-MailboxAuditLog -StartDate ([system.DateTime]::Now.AddDays(-30)) -EndDate ([system.DateTime]::Now.AddDays(+2)) -Operations MailboxLogin,FolderBind -Identity  -ShowDetails -First 1 | select Operation,LogonType,MailboxOwnerUPN,LogonUserDisplayName,LastAccessed

In this script we are,
1. Collect all the particular mailbox audit logs for the events MailboxLogin and FolderBind for past 30 days
2. Already the generated are sorted, we are just picking the latest audit log event, which holds the last logged on user account on that mailbox

The event MailboxLogin is generated when mailbox owner logged into his mailbox. The event FolderBind is generated when non-owner(admin or delegate) accessed the mailbox.

For information on Exchange mailbox auditing and the about generated events refer:

Get last logged on user for all the mailboxes:
The below script get the get the last logged on user account for all the mailboxes in the tenant

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic-
Import-PSSession $Session
$mailboxs = Get-MailBox 
$mailboxs | Foreach-Object{
Search-MailboxAuditLog -StartDate ([system.DateTime]::Now.AddDays(-30)) -EndDate ([system.DateTime]::Now.AddDays(+2)) -Operations MailboxLogin,FolderBind -Identity $mailbox.UserPrincipalName  -ShowDetails|select Operation,LogonType,MailboxOwnerUPN,LogonUserDisplayName,LastAccessed -First 1