In this blog we see how to enable auditing in office 365. In order to track the users actions like; reading, moving, and deleting the messages.
By using audit logs we can see who read, deleted, moved or copied a message in Office 365.
We need to enable auditing in office 365, by default auditing is not enabled in office 365. As per requirement, you can either enable auditing in specific of all mailboxes by using PowerShell. So first you have to connect to office 365 using PowerShell, then you can enable or disable auditing. Connect to Exchange Online PowerShell.
To Enable Auditing for Single User in Office 365:
Set-Mailbox abc@xyz.com -AuditEnabled $true
To Disable Auditing for Single User in Office 365:
Set-Mailbox abc@xyz.com -AuditEnabled $false
Enable Auditing for all users in Office 365– Run below cmdlet to enable auditing for all office 365 users:
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
In order to check which user have auditing enabled or disabled:
get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin
You will get output in table form. If you would like to see only those have auditing enabled run below cmdlet:
get-mailbox -filter {AuditEnabled -eq $true} | select UserPrincipalName,auditenabled,AuditDelegate
If you would like to see only those who do not have auditing enabled run below cmdlet:
get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate
You can audit all mailbox action for all users:
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
Action that can be audited in office 365
The below table lists the actions logged by mailbox audit logging, including the logon types for which the action can be logged.
| Action | Description | Administrator | Delegate | Owner |
| Copy | An item is copied to another folder. | Yes | No | No |
| Create | An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited. | Yes* | Yes* | Yes |
| FolderBind | A mailbox folder is accessed. | Yes* | Yes** | No |
| HardDelete | An item is deleted permanently from the Recoverable Items folder. | Yes* | Yes* | Yes |
| MessageBind | An item is accessed in the reading pane or opened. | Yes | No | No |
| Move | An item is moved to another folder. | Yes* | Yes | Yes |
| MoveToDeletedItems | An item is moved to the Deleted Items folder. | Yes* | Yes | Yes |
| SendAs | A message is sent using Send As permissions. | Yes* | Yes* | Not applicable |
| SendOnBehalf | A message is sent using Send on Behalf permissions. | Yes* | Yes | Not applicable |
| SoftDelete | An item is deleted from the Deleted Items folder. | Yes* | Yes* | Yes |
| Update | An item’s properties are updated. | Yes* | Yes* | Yes |
You can set the time period for logs from 90 days as which you want longer or shorter period, set the AuditLogAgeLimit parameter.
Here you will get complete details:
Office 365 security and compliance:
https://technet.microsoft.com/en-us/library/dn532171.aspx
Search the audit log in the Office 365 Security & Compliance Center:
https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US
Enable mailbox auditing in Office 365:
https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918
By following above steps you can easily enable auditing in office 365 to track who did what and where.