Enable Mailbox Auditing for Office 365 users

27 Jun 2013 by Emma Robinson

Many organisations have strict compliance rules around who can access which mailboxes. Some companies are even required to regularly audit the times and dates that someone has read another persons email. In fact, many years ago in one of my roles at a financial organisation every access to another persons mailbox was logged and had to be justified with a helpdesk ticket number!
Office 365 has the ability to monitor and record this type of access, but it requires you to specifically enable auditing on the mailboxes and it is disabled by default.

Enable Mailbox Auditing for a Single User

There is currently no way to enable mailbox auditing in Office 365 through the Administrative portal so you’ll have to connect to Office 365 using PowerShell.
Once you’re connected, you can enable auditing for a single user by running the following cmdlet:
Set-Mailbox user@domain.com -AuditEnabled $true
Obviously, you can disable auditing like this:
Set-Mailbox user@domain.com -AuditEnabled $false

Enabling Mailbox Auditing for All Users

If you want to enable mailbox auditing for every one of your Office 365 users, you can run these this cmdlet. This will enabled mailbox auditing for all users with a mailbox (But not shared or resource mailboxes)
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
Note: If you add a new mailbox some time after you run this cmdlet, it will receive the default state of having Auditing Disabled.

Find out which Office 365 users have Auditing Enabled or Disabled

We can use the Get-Mailbox Simply run the following

PS C:\Users\burns_000\Desktop> UserPrincipalName ----------------- adelle@alantest5.onmicroso... adria@alantest5.onmicrosof... agustina@alantest5.onmicro... ahmad@alantest5.onmicrosof... alan@alantest5.onmicrosoft... alejandra@alantest5.onmicr... alena@alantest5.onmicrosof... alida@alantest5.onmicrosof... aline@alantest5.onmicrosof... alishia@alantest5.onmicros... althea@alantest5.onmicroso... amberly@alantest5.onmicros... america@alantest5.onmicros... anamaria@alantest5.onmicro... andra@alantest5.onmicrosof... aracelis@alantest5.onmicro... ardella@alantest5.onmicros... ariane@alantest5.onmicroso... arla@alantest5.onmicrosoft... arnita@alantest5.onmicroso... art@alantest5.onmicrosoft.com ben@alantest5.onmicrosoft.com chris@alantest5.onmicrosof... cynthia@alantest5.onmicros... david@alantest5.onmicrosof... DiscoverySearchMailbox{D91... melissa@alantest5.onmicros... You can also filter PS C:\Users\burns_000\Desktop> UserPrincipalName ----------------- DiscoverySearchMailbox{D919BA05-46A6... ahmad@alantest5.onmicrosoft.com ben@alantest5.onmicrosoft.com adelle@alantest5.onmicrosoft.com You can also switch

cmdlet to create a report of who has Mailbox auditing enabled or not.
 cmdlet and you will see the output in table form
 get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin
 AuditEnabled AuditDelegate                 AuditAdmin
 ------------ -------------                 ----------
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 False {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
 to view only those who do not have mail auditing enabled:
 get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate
 AuditEnabled AuditDelegate
 ------------ -------------
 False {Update, SoftDelete, HardDelete, Sen...
 False {Update, SoftDelete, HardDelete, Sen...
 False {Update, SoftDelete, HardDelete, Sen...
 False {Update, SoftDelete, HardDelete, Sen...

the {AuditEnabled -eq $false} filter section to {AuditEnabled -eq $true} if you want to see a list of all Office 365 users who have Auditing enabled.

What is Audited?

A common misconception is that all mailbox access is logged when you enable mailbox audit logging. This is not the case as you can see by the table below!

Action	Description	Administrators	Delegates
Update	A message was changed.	Yes	Yes
Copy	A message was copied to another folder.	No	No
Move	A message was moved to another folder.	Yes	No
Move To Deleted Items	A message was moved to the Deleted Items folder.	Yes	No
Soft-delete	A message was deleted from the Deleted Items folder.	Yes	Yes
Hard-delete	A message is purged from the Recoverable Items folder. For more information, seeRecover Deleted Items.	Yes	Yes
FolderBind	A mailbox folder was accessed.	Yes	No
Send as	A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner.	Yes	Yes
Send on behalf of	A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.	Yes	No
MessageBind	A message is viewed in the preview pane or opened.	No	No

Action

Description

Administrators

Delegates

Update

A message was changed.

Yes

Copy

A message was copied to another folder.

Move

A message was moved to another folder.

Yes

Move To Deleted Items

A message was moved to the Deleted Items folder.

Yes

Soft-delete

A message was deleted from the Deleted Items folder.

Yes

Hard-delete

A message is purged from the Recoverable Items folder. For more information, seeRecover Deleted Items.

Yes

FolderBind

A mailbox folder was accessed.

Yes

Send as

A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner.

Yes

Send on behalf of

A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.

Yes

MessageBind

A message is viewed in the preview pane or opened.

If you want to audit these additional events, you need to specify them directly when you enabled auditing. Unfortunately you can’t specify all actions for delegates, as you can see by this PowerShell error. It seems to work for Admins though.

PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditDelegate MessageBind

Invalid audit operation specified. Supported audit operations for Delegate are None, Create, FolderBind, SendAs,

SendOnBehalf, SoftDelete, HardDelete, Update, Move, and MoveToDeletedItems.

    + CategoryInfo          : NotSpecified: (Microsoft.Excha...asks.SetMailbox:SetMailbox) [], RecipientTaskException

    + FullyQualifiedErrorId : [Server=DB3PR05MB123,RequestId=00000000-0000-0000-0000-000000000000,TimeStamp=26/06/2013

    15:16:42] 7D1AF0B5

    + PSComputerName        : pod51049psh.outlook.com

PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditAdmin MessageBind

PS C:\Users\burns_000\Desktop>

Auditing all Mailbox Actions

If you want to audit all actions for all users mailboxes, then you can do the following.

PS C:\Users\burns_000\Desktop> Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }

PS C:\Users\burns_000\Desktop>

What is the difference between AuditAdmin and AuditDelegate

This refers to the type of actions that are audited when either an Administrator or a Delegate accesses another persons mailbox.
For example, you may not care too much if a CEO’s Personal Assistant is reading their bosses email – as that is their job. So you wouldn’t want to audit common tasks such as replying to emails on behalf of their boss etc as it would fill up the audit log quite quickly. Alhough, you may be interested to see if the PA is deleting any messages.
It is a different story if your Exchange administrators are logging in to people’s mailboxes and moving messages around – this could be something you DO want to Audit.
You can use the AuditDelegate and AuditAdmin switches to set these differences in auditing levels.
So there you have it, all you need to know about enabling mailbox access auditing in Office 365. Next time we will be looking at how to view a report of who has accessed another persons mailbox.