The Office 365 blog for IT pros in the know

Enable Mailbox Auditing for Office 365 users

June 27, 2013 by Alan Byrne

Many organisations have strict compliance rules around who can access which mailboxes. Some companies are even required to regularly audit the times and dates that someone has read another persons email. In fact, many years ago in one of my roles at a financial organisation every access to another persons mailbox was logged and had to be justified with a helpdesk ticket number!

Office 365 has the ability to monitor and record this type of access, but it requires you to specifically enable auditing on the mailboxes and it is disabled by default.

Enable Mailbox Auditing for a Single User

There is currently no way to enable mailbox auditing in Office 365 through the Administrative portal so you’ll have to connect to Office 365 using PowerShell.

Once you’re connected, you can enable auditing for a single user by running the following cmdlet:

Set-Mailbox user@domain.com -AuditEnabled $true

Obviously, you can disable auditing like this

Set-Mailbox user@domain.com -AuditEnabled $false

Enabling Mailbox Auditing for All Users

If you want to enable mailbox auditing for every one of your Office 365 users, you can run these this cmdlet. This will enabled mailbox auditing for all users with a mailbox (But not shared or resource mailboxes)

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Note: If you add a new mailbox some time after you run this cmdlet, it will receive the default state of having Auditing Disabled.

Find out which Office 365 users have Auditing Enabled or Disabled

We can use the Get-Mailbox cmdlet to create a report of who has Mailbox auditing enabled or not.

Simply run the following cmdlet and you will see the output in table form

PS C:\Users\burns_000\Desktop> get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin

UserPrincipalName                              AuditEnabled AuditDelegate                 AuditAdmin
-----------------                              ------------ -------------                 ----------
adelle@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
adria@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
agustina@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ahmad@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alan@alantest5.onmicrosoft...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alejandra@alantest5.onmicr...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alena@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alida@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aline@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alishia@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
althea@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
amberly@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
america@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
anamaria@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
andra@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aracelis@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ardella@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ariane@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arla@alantest5.onmicrosoft...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arnita@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
art@alantest5.onmicrosoft.com                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ben@alantest5.onmicrosoft.com                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
chris@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
cynthia@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
david@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
DiscoverySearchMailbox{D91...                         False {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
melissa@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...

You can also filter to view only those who do not have mail auditing enabled:

PS C:\Users\burns_000\Desktop> get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate

UserPrincipalName                                                  AuditEnabled AuditDelegate
-----------------                                                  ------------ -------------
DiscoverySearchMailbox{D919BA05-46A6...                                   False {Update, SoftDelete, HardDelete, Sen...
ahmad@alantest5.onmicrosoft.com                                           False {Update, SoftDelete, HardDelete, Sen...
ben@alantest5.onmicrosoft.com                                             False {Update, SoftDelete, HardDelete, Sen...
adelle@alantest5.onmicrosoft.com                                          False {Update, SoftDelete, HardDelete, Sen...

You can also switch the {AuditEnabled -eq $false} filter section to {AuditEnabled -eq $true} if you want to see a list of all Office 365 users who have Auditing enabled.

What is Audited?

A common misconception is that all mailbox access is logged when you enable mailbox audit logging. This is not the case as you can see by the table below!

Action Description Administrators Delegates
Update A message was changed. Yes Yes
Copy A message was copied to another folder. No No
Move A message was moved to another folder. Yes No
Move To Deleted Items A message was moved to the Deleted Items folder. Yes No
Soft-delete A message was deleted from the Deleted Items folder. Yes Yes
Hard-delete A message is purged from the Recoverable Items folder. For more information, seeRecover Deleted Items. Yes Yes
FolderBind A mailbox folder was accessed. Yes No
Send as A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner. Yes Yes
Send on behalf of A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message. Yes No
MessageBind A message is viewed in the preview pane or opened. No No

If you want to audit these additional events, you need to specify them directly when you enabled auditing. Unfortunately you can’t specify all actions for delegates, as you can see by this PowerShell error. It seems to work for Admins though.

PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditDelegate MessageBind
Invalid audit operation specified. Supported audit operations for Delegate are None, Create, FolderBind, SendAs,
SendOnBehalf, SoftDelete, HardDelete, Update, Move, and MoveToDeletedItems.
    + CategoryInfo          : NotSpecified: (Microsoft.Excha...asks.SetMailbox:SetMailbox) [], RecipientTaskException
    + FullyQualifiedErrorId : [Server=DB3PR05MB123,RequestId=00000000-0000-0000-0000-000000000000,TimeStamp=26/06/2013
    15:16:42] 7D1AF0B5
    + PSComputerName        : pod51049psh.outlook.com

PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditAdmin MessageBind
PS C:\Users\burns_000\Desktop>

Auditing all Mailbox Actions

If you want to audit all actions for all users mailboxes, then you can do the following.

PS C:\Users\burns_000\Desktop> Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
PS C:\Users\burns_000\Desktop>

What is the difference between AuditAdmin and AuditDelegate

This refers to the type of actions that are audited when either an Administrator or a Delegate accesses another persons mailbox.

For example, you may not care too much if a CEO’s Personal Assistant is reading their bosses email – as that is their job. So you wouldn’t want to audit common tasks such as replying to emails on behalf of their boss etc as it would fill up the audit log quite quickly. Alhough, you may be interested to see if the PA is deleting any messages.

It is a different story if your Exchange administrators are logging in to people’s mailboxes and moving messages around – this could be something you DO want to Audit.

You can use the AuditDelegate and AuditAdmin switches to set these differences in auditing levels.

So there you have it, all you need to know about enabling mailbox access auditing in Office 365. Next time we will be looking at how to view a report of who has accessed another persons mailbox.

12 Comments

  • I’ve enabled but the report shows nothing. How long before it works?

    Gee September 6, 2013
    Reply

  • I’m not a PS expert, but your commands may need small changes as per this article: http://www.mikepfeiffer.net/2010/02/exchange-management-shell-error-pipelines-cannot-be-executed-concurrently/
    (I needed to amend them to work)
    Nice post BTW 😉

    toffitomek August 13, 2014
    Reply

  • […] Enable Mailbox Auditing for Office 365 users […]

    Manage Mailbox Audit using PowerShell - o365info.com April 27, 2015
    Reply

  • HI, I want to check Whether audit is enabled or disabled for a single identity. Can someone please provide me PS command. Thank you

    Khizar January 14, 2016
    Reply

    • Khizar – >

      get-mailbox -Identity aaa@bbb.ccc| fl auditenabled

      Kim April 11, 2016
      Reply

  • Here is also useful blog about exchange online auditing from Matt Hopton http://howdoicomputer.com/2016/05/exchange-online-and-hybrid-exchange-auditing-configurations/

    Peter Kt July 29, 2016
    Reply

  • Timely suggestions ! Incidentally if you are searching for a PA EO-365 , my business partner used a sample form here https://goo.gl/UBK8Tz.

    bradyn jace December 3, 2016
    Reply

  • Does enabling Audit on all mailboxes on O365 consume space assigned to the Tenant.

    Sri January 7, 2017
    Reply

  • Is there a way to modify the default state so when a new user/mailbox is created, the auditenabled setting will be set to $True ?

    Shawn March 13, 2017
    Reply

    • Shawn, unfortunately there is no way to pre-configure this. That’s the reason why many companies use some sort of “enable mailbox” script which sets different options, such as auditing, holds, permissions, etc.

      Vasil Michev July 28, 2017
      Reply

  • Is there a way to activate the audits by default?
    I want every new user to automatically have it enabled.
    Can it be done by api or just PS?

    dotan October 9, 2017
    Reply

    • Sorry, just saw Shawn already asked my question and got an answer.

      dotan October 9, 2017
      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *