Audit Exchange Online mailboxes
In Exchange Online there is mailbox auditing feature what can be used to track non-owner activities. So why you might to want audit mailboxes? One common reason is when you have shared mailboxes there could be situations when someone has deleted mail message and you need to find person who did and ask why he or she deleted message.
Actions what are audited by default:
Who accessed the mailbox and time
The actions performed by the non-owner user
The affected message and its folder location
Whether the action was successful
Audit logs are retained 90 days by default
Enabling single mailbox for auditing in Exchange Online is quite easy:
Connect Exchange online trough PowerShell
Enable mailbox for auditing with following command “Set-Mailbox –Identity alias -AuditEnabled $true”
If you need to enable auditing to all shared mailboxes you can use following PowerShell one liner:
Get-Mailbox -ResultSize unlimited | where {(($_.IsShared -eq $true) -and ($_.Alias -notlike “DiscoverySearchMail box*”))} | Set-Mailbox -AuditEnabled $true
If you need to check which mailboxes are enabled for audition there is simple one liner what you can use:
Get-Mailbox -ResultSize unlimited | where {$_.AuditEnabled -eq $true}
Non-owner mailbox report can run through Exchange Admin Center, These reports can be found in compliance management auditing section