How to Enable Mailbox Auditing in Office 365
By default, all non-owner access and administrative actions are recorded, but owner actions are not. Enabling mailbox auditing will include owner activity in the audit records, which will in turn enable you to investigate and scope a compromise of that user’s account.
To enable auditing, The Microsoft Office 365 provided the following script which can be downloaded from GitHub. Here
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
#This script will enable non-owner mailbox access auditing on every mailbox in your tenancy #First, let's get us a cred! #$userCredential = Get-Credential #This gets us connected to an Exchange remote powershell service #$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $userCredential -Authentication #Basic -AllowRedirection #Import-PSSession $ExoSession #Enable global audit logging Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, UpdateFolderPermission -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf -AuditOwner UpdateFolderPermission, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems #Double-Check It! Get-Mailbox -ResultSize Unlimited | Select Name, AuditEnabled, AuditLogAgeLimit | Out-Gridview |
After the Script has been run the output will look as follows.
Be First to Comment