How to Enable Mailbox Auditing in Office 365

 

In this blog we see how to enable auditing in office 365. In order to track the users actions like; reading, moving, and deleting the messages.

By using audit logs we can see who read, deleted, moved or copied a message in Office 365.

We need to enable auditing in office 365, by default auditing is not enabled in office 365. As per requirement, you can either enable auditing in specific of all mailboxes by using PowerShell. So first you have to connect to office 365 using PowerShell, then you can enable or disable auditing. Connect to Exchange Online PowerShell.

 

To Enable Auditing for Single User in Office 365:

Set-Mailbox abc@xyz.com -AuditEnabled $true

To Disable Auditing for Single User in Office 365:

Set-Mailbox abc@xyz.com -AuditEnabled $false

Enable Auditing for all users in Office 365– Run below cmdlet to enable auditing for all office 365 users:

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

In order to check which user have auditing enabled or disabled:

get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin

You will get output in table form. If you would like to see only those have auditing enabled run below cmdlet: 

get-mailbox -filter {AuditEnabled -eq $true} | select UserPrincipalName,auditenabled,AuditDelegate

If you would like to see only those who do not have auditing enabled run below cmdlet: 

get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate

You can audit all mailbox action for all users: 

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }

Action that can be audited in office 365

The below table lists the actions logged by mailbox audit logging, including the logon types for which the action can be logged.

Action	Description	Administrator	Delegate	Owner
Copy	An item is copied to another folder.	Yes	No	No
Create	An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited.	Yes*	Yes*	Yes
FolderBind	A mailbox folder is accessed.	Yes*	Yes**	No
HardDelete	An item is deleted permanently from the Recoverable Items folder.	Yes*	Yes*	Yes
MessageBind	An item is accessed in the reading pane or opened.	Yes	No	No
Move	An item is moved to another folder.	Yes*	Yes	Yes
MoveToDeletedItems	An item is moved to the Deleted Items folder.	Yes*	Yes	Yes
SendAs	A message is sent using Send As permissions.	Yes*	Yes*	Not applicable
SendOnBehalf	A message is sent using Send on Behalf permissions.	Yes*	Yes	Not applicable
SoftDelete	An item is deleted from the Deleted Items folder.	Yes*	Yes*	Yes
Update	An item’s properties are updated.	Yes*	Yes*	Yes

 

You can set the time period for logs from 90 days as which you want longer or shorter period, set the AuditLogAgeLimit parameter.

Here you will get complete details:

Office 365 security and compliance:
https://technet.microsoft.com/en-us/library/dn532171.aspx

Search the audit log in the Office 365 Security & Compliance Center:
https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US

Enable mailbox auditing in Office 365:
https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918

By following above steps you can easily enable auditing in office 365 to track who did what and where.