Audit Exchange Online mailboxes

In Exchange Online there is mailbox auditing feature what can be used to track non-owner activities. So why you might to want audit mailboxes? One common reason is when you have shared mailboxes there could be situations when someone has deleted mail message and you need to find person who did and ask why he or she deleted message.

Actions what are audited by default:

  • Who accessed the mailbox and time

  • The actions performed by the non-owner user

  • The affected message and its folder location

  • Whether the action was successful

Audit logs are retained 90 days by default

Enabling single mailbox for auditing in Exchange Online is quite easy:

  1. Connect Exchange online trough PowerShell

  2. Enable mailbox for auditing with following command “Set-Mailbox –Identity alias -AuditEnabled $true”

If you need to enable auditing to all shared mailboxes you can use following PowerShell one liner:

Get-Mailbox -ResultSize unlimited | where {(($_.IsShared -eq $true) -and ($_.Alias -notlike “DiscoverySearchMail box*”))} | Set-Mailbox -AuditEnabled $true

ps_exo_mailbox_audit.png

If you need to check which mailboxes are enabled for audition there is simple one liner what you can use: 

Get-Mailbox -ResultSize unlimited | where {$_.AuditEnabled -eq $true}

ps_exo_mailbox_audit_2.png

Non-owner mailbox report can run through Exchange Admin Center, These reports can be found in compliance management auditing section

exo_mailbox_audit_search_gui.png
Exchange OnlineJarmo HaaranenExchange Online, Audit, PowerShell