Skip to content

Enable Mailbox Auditing Office 365

How to Enable Mailbox Auditing in Office 365

By Default, mailbox auditing is not enabled in Office 365, mailbox auditing can be turned on for log in to mailbox access by owner, delegates, and administrators. After mailbox auditing is enabled some actions performed by administrators and delegates on a mailbox is audited by default. To log actions performed by mailbox owner, the owner action should be specified for auditing.

Take note of the following:

    • After you enable mailbox audit logging, you can search the Office 365 audit log for mailbox-related activities. For more information, see Search the audit log in the Office 365 Security & Compliance Center.
    • Entries in the mailbox audit log are retained for 90 days, by default.
    • You have to use Remote PowerShell connected to your Exchange Online organization to enable mailbox audit logging. You can’t use the Exchange admin center (EAC).
    • An administrator who has been assigned the Full Access permission to a user’s mailbox is considered a delegate user.

To get started a connection to Exchange Online Remote PowerShell needs to be established. The following script can be used to quickly connect to Exchange Online PowerShell.

TechNet Script: https://gallery.technet.microsoft.com/office/Connect-To-Office-365-9b235018

After a connection to the Exchange Online organization has been established, use the following cmdlet to enable audit logging for a mailbox.
The following example will enable audit logging for an individual mailbox only.

However, for the tenant that I am working on the requirement is to enable audit logging on all mailboxes in the organization. The following script which I will be using comes from the Office 365 team on GitHub and can be downloaded here: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/EnableMailboxAuditing.ps1

So, what does the script do? The script will get all mailboxes in the tenant (includes Shared, Room and Discovery Mailboxes), then it will enable audit logging across all these mailboxes.

#Enable global audit logging

At the end of the script it will provide an output of all the mailboxes and the audit logging status.

#Double-Check It!


As mentioned earlier, when you enable audit logging on a mailbox, the action performed on the mailbox y the owner is by default not audited. Auditing on the mailbox owner actions need to be specify as well as which actions should be audited. Here is a list of owner actions which can be audited. The script which I ran on all the mailboxes in the tenant has the -AuditOwner parameter already specified, but if there is an addition action which need auditing it can be done using the following cmdlet.

All of the actions that are audited for each type of user aren’t displayed when you run the Get-Mailbox cmdlet. But you can run the following commands to display all the audited actions for a specific user logon type.

The following table will show the available auditing parameters.

 

 

#ThatLazyAdmin

Sharing is caring!

Published inOffice 365

Be First to Comment

Leave a Reply

Your email address will not be published.