How to Enable Mailbox Auditing in Office 365

Posted on Posted in Office 365

In this blog we see how to enable auditing in office 365. In order to track the users actions like; reading, moving, and deleting the messages.

By using audit logs we can see who read, deleted, moved or copied a message in Office 365.

We need to enable auditing in office 365, by default auditing is not enabled in office 365. As per requirement, you can either enable auditing in specific of all mailboxes by using PowerShell. So first you have to connect to office 365 using PowerShell, then you can enable or disable auditing. Connect to Exchange Online PowerShell.

 

To Enable Auditing for Single User in Office 365:

Set-Mailbox abc@xyz.com -AuditEnabled $true

To Disable Auditing for Single User in Office 365:

Set-Mailbox abc@xyz.com -AuditEnabled $false

Enable Auditing for all users in Office 365– Run below cmdlet to enable auditing for all office 365 users:

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

In order to check which user have auditing enabled or disabled:

get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin

You will get output in table form. If you would like to see only those have auditing enabled run below cmdlet: 

get-mailbox -filter {AuditEnabled -eq $true} | select UserPrincipalName,auditenabled,AuditDelegate

If you would like to see only those who do not have auditing enabled run below cmdlet: 

get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate

You can audit all mailbox action for all users: 

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }

Action that can be audited in office 365

The below table lists the actions logged by mailbox audit logging, including the logon types for which the action can be logged.

Action Description Administrator Delegate Owner
Copy An item is copied to another folder. Yes No No
Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited. Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes** No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes
SendAs A message is sent using Send As permissions. Yes* Yes* Not applicable
SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes Not applicable
SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes
Update An item’s properties are updated. Yes* Yes* Yes

 

You can set the time period for logs from 90 days as which you want longer or shorter period, set the AuditLogAgeLimit parameter.

Here you will get complete details:

Office 365 security and compliance

Search the audit log in the Office 365 Security & Compliance Center

Enable mailbox auditing in Office 365

By following above steps you can easily enable auditing in office 365 to track who did what and where.

Leave a Reply

Your email address will not be published. Required fields are marked *