Enable Mailbox Auditing for Office 365 users
Many organisations have strict compliance rules around who can access which mailboxes. Some companies are even required to regularly audit the times and dates that someone has read another persons email. In fact, many years ago in one of my roles at a financial organisation every access to another persons mailbox was logged and had to be justified with a helpdesk ticket number!
Office 365 has the ability to monitor and record this type of access, but it requires you to specifically enable auditing on the mailboxes and it is disabled by default.
Enable Mailbox Auditing for a Single User
There is currently no way to enable mailbox auditing in Office 365 through the Administrative portal so you’ll have to connect to Office 365 using PowerShell.
Once you’re connected, you can enable auditing for a single user by running the following cmdlet:
Set-Mailbox user@domain.com -AuditEnabled $true
Obviously, you can disable auditing like this:
Set-Mailbox user@domain.com -AuditEnabled $false
Enabling Mailbox Auditing for All Users
If you want to enable mailbox auditing for every one of your Office 365 users, you can run these this cmdlet. This will enabled mailbox auditing for all users with a mailbox (But not shared or resource mailboxes)
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
Note: If you add a new mailbox some time after you run this cmdlet, it will receive the default state of having Auditing Disabled.
Find out which Office 365 users have Auditing Enabled or Disabled
We can use the Get-Mailbox cmdlet to create a report of who has Mailbox auditing enabled or not.
Simply run the following cmdlet and you will see the output in table form
PS C:\Users\burns_000\Desktop> get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin
UserPrincipalName AuditEnabled AuditDelegate AuditAdmin
----------------- ------------ ------------- ----------
adelle@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
adria@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
agustina@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ahmad@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alan@alantest5.onmicrosoft... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alejandra@alantest5.onmicr... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alena@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alida@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aline@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alishia@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
althea@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
amberly@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
america@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
anamaria@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
andra@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aracelis@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ardella@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ariane@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arla@alantest5.onmicrosoft... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arnita@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
art@alantest5.onmicrosoft.com True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ben@alantest5.onmicrosoft.com True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
chris@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
cynthia@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
david@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
DiscoverySearchMailbox{D91... False {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
melissa@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
You can also filter to view only those who do not have mail auditing enabled:
PS C:\Users\burns_000\Desktop> get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate
UserPrincipalName AuditEnabled AuditDelegate
----------------- ------------ -------------
DiscoverySearchMailbox{D919BA05-46A6... False {Update, SoftDelete, HardDelete, Sen...
ahmad@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen...
ben@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen...
adelle@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen...
You can also switch the {AuditEnabled -eq $false} filter section to {AuditEnabled -eq $true} if you want to see a list of all Office 365 users who have Auditing enabled.
What is Audited?
A common misconception is that all mailbox access is logged when you enable mailbox audit logging. This is not the case as you can see by the table below!
| Action | Description | Administrators | Delegates |
|---|---|---|---|
| Update | A message was changed. | Yes | Yes |
| Copy | A message was copied to another folder. | No | No |
| Move | A message was moved to another folder. | Yes | No |
| Move To Deleted Items | A message was moved to the Deleted Items folder. | Yes | No |
| Soft-delete | A message was deleted from the Deleted Items folder. | Yes | Yes |
| Hard-delete | A message is purged from the Recoverable Items folder. For more information, seeRecover Deleted Items. | Yes | Yes |
| FolderBind | A mailbox folder was accessed. | Yes | No |
| Send as | A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner. | Yes | Yes |
| Send on behalf of | A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message. | Yes | No |
| MessageBind | A message is viewed in the preview pane or opened. | No | No |
If you want to audit these additional events, you need to specify them directly when you enabled auditing. Unfortunately you can’t specify all actions for delegates, as you can see by this PowerShell error. It seems to work for Admins though.
PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditDelegate MessageBind
Invalid audit operation specified. Supported audit operations for Delegate are None, Create, FolderBind, SendAs,
SendOnBehalf, SoftDelete, HardDelete, Update, Move, and MoveToDeletedItems.
+ CategoryInfo : NotSpecified: (Microsoft.Excha...asks.SetMailbox:SetMailbox) [], RecipientTaskException
+ FullyQualifiedErrorId : [Server=DB3PR05MB123,RequestId=00000000-0000-0000-0000-000000000000,TimeStamp=26/06/2013
15:16:42] 7D1AF0B5
+ PSComputerName : pod51049psh.outlook.com
PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditAdmin MessageBind
PS C:\Users\burns_000\Desktop>
Auditing all Mailbox Actions
If you want to audit all actions for all users mailboxes, then you can do the following.
PS C:\Users\burns_000\Desktop> Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
PS C:\Users\burns_000\Desktop>
What is the difference between AuditAdmin and AuditDelegate
This refers to the type of actions that are audited when either an Administrator or a Delegate accesses another persons mailbox.
For example, you may not care too much if a CEO’s Personal Assistant is reading their bosses email – as that is their job. So you wouldn’t want to audit common tasks such as replying to emails on behalf of their boss etc as it would fill up the audit log quite quickly. Alhough, you may be interested to see if the PA is deleting any messages.
It is a different story if your Exchange administrators are logging in to people’s mailboxes and moving messages around – this could be something you DO want to Audit.
You can use the AuditDelegate and AuditAdmin switches to set these differences in auditing levels.
So there you have it, all you need to know about enabling mailbox access auditing in Office 365. Next time we will be looking at how to view a report of who has accessed another persons mailbox.