SolutionsSmarter migration, reporting, security, and management in Office 365. Our solutions take you to and through the cloud.
MigrationIntelligent, enterprise-scale solutions for migrating the entire email ecosystem: email, archives, public folders, PST files, and ‘cloud-to-cloud’ migrations.ReportingDetailed Office 365 analytics for monitoring service adoption, license management, mail flow, security settings, permissions, storage optimization, and so much more.SecuritySmarter Office 365 security, with on-event alerting and detailed auditing. Prevent, detect and investigate threats, and achieve GDPR compliance.ManagementStreamlined, automated Office 365 administration, that can simplify IT processes and reduce helpdesk burden.
Case Studies
Partners
About UsEverything you need to know about Quadrotech. Get to know us: who we are, where we are, and what we do!
BlogIndustry and product news, company updates, plus Office 365 analysis, tips, and plenty of PowerShell scripts.Company ProfileLearn more about our history, global leadership team, and exciting vision for the future.CareersAll the career opportunities currently available at Quadrotech are listed here. Come join us!
Contact
Office 365 Knowledge

This area covers:

Blog

Back

Enable Mailbox Auditing for Office 365 users

Many organisations have strict compliance rules around who can access which mailboxes. Some companies are even required to regularly audit the times and dates that someone has read another persons email. In fact, many years ago in one of my roles at a financial organisation every access to another persons mailbox was logged and had to be justified with a helpdesk ticket number!
Office 365 has the ability to monitor and record this type of access, but it requires you to specifically enable auditing on the mailboxes and it is disabled by default.

Enable Mailbox Auditing for a Single User

There is currently no way to enable mailbox auditing in Office 365 through the Administrative portal so you’ll have to connect to Office 365 using PowerShell.
Once you’re connected, you can enable auditing for a single user by running the following cmdlet:

Set-Mailbox user@domain.com -AuditEnabled $true

Obviously, you can disable auditing like this

Set-Mailbox user@domain.com -AuditEnabled $false

Enabling Mailbox Auditing for All Users

If you want to enable mailbox auditing for every one of your Office 365 users, you can run these this cmdlet. This will enabled mailbox auditing for all users with a mailbox (But not shared or resource mailboxes)

Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Note: If you add a new mailbox some time after you run this cmdlet, it will receive the default state of having Auditing Disabled.

Find out which Office 365 users have Auditing Enabled or Disabled

We can use the Get-Mailbox cmdlet to create a report of who has Mailbox auditing enabled or not.
Simply run the following cmdlet and you will see the output in table form

PS C:\Users\burns_000\Desktop> get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin
UserPrincipalName                              AuditEnabled AuditDelegate                 AuditAdmin
-----------------                              ------------ -------------                 ----------
adelle@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
adria@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
agustina@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ahmad@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alan@alantest5.onmicrosoft...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alejandra@alantest5.onmicr...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alena@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alida@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aline@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
alishia@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
althea@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
amberly@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
america@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
anamaria@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
andra@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
aracelis@alantest5.onmicro...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ardella@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ariane@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arla@alantest5.onmicrosoft...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
arnita@alantest5.onmicroso...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
art@alantest5.onmicrosoft.com                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
ben@alantest5.onmicrosoft.com                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
chris@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
cynthia@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
david@alantest5.onmicrosof...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
DiscoverySearchMailbox{D91...                         False {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
melissa@alantest5.onmicros...                          True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...

You can also filter to view only those who do not have mail auditing enabled:

PS C:\Users\burns_000\Desktop> get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate
UserPrincipalName                                                  AuditEnabled AuditDelegate
-----------------                                                  ------------ -------------
DiscoverySearchMailbox{D919BA05-46A6...                                   False {Update, SoftDelete, HardDelete, Sen...
ahmad@alantest5.onmicrosoft.com                                           False {Update, SoftDelete, HardDelete, Sen...
ben@alantest5.onmicrosoft.com                                             False {Update, SoftDelete, HardDelete, Sen...
adelle@alantest5.onmicrosoft.com                                          False {Update, SoftDelete, HardDelete, Sen...

You can also switch the {AuditEnabled -eq $false} filter section to {AuditEnabled -eq $true} if you want to see a list of all Office 365 users who have Auditing enabled.

What is Audited?

A common misconception is that all mailbox access is logged when you enable mailbox audit logging. This is not the case as you can see by the table below!


Action	Description	Administrators	Delegates
Update	A message was changed.	Yes	Yes
Copy	A message was copied to another folder.	No	No
Move	A message was moved to another folder.	Yes	No
Move To Deleted Items	A message was moved to the Deleted Items folder.	Yes	No
Soft-delete	A message was deleted from the Deleted Items folder.	Yes	Yes
Hard-delete	A message is purged from the Recoverable Items folder. For more information, seeRecover Deleted Items.	Yes	Yes
FolderBind	A mailbox folder was accessed.	Yes	No
Send as	A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner.	Yes	Yes
Send on behalf of	A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.	Yes	No
MessageBind	A message is viewed in the preview pane or opened.	No	No

If you want to audit these additional events, you need to specify them directly when you enabled auditing. Unfortunately you can’t specify all actions for delegates, as you can see by this PowerShell error. It seems to work for Admins though.

PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditDelegate MessageBind
Invalid audit operation specified. Supported audit operations for Delegate are None, Create, FolderBind, SendAs,
SendOnBehalf, SoftDelete, HardDelete, Update, Move, and MoveToDeletedItems.
    + CategoryInfo          : NotSpecified: (Microsoft.Excha...asks.SetMailbox:SetMailbox) [], RecipientTaskException
    + FullyQualifiedErrorId : [Server=DB3PR05MB123,RequestId=00000000-0000-0000-0000-000000000000,TimeStamp=26/06/2013
    15:16:42] 7D1AF0B5
    + PSComputerName        : pod51049psh.outlook.com
PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditAdmin MessageBind
PS C:\Users\burns_000\Desktop>

Auditing all Mailbox Actions

If you want to audit all actions for all users mailboxes, then you can do the following.

PS C:\Users\burns_000\Desktop> Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
PS C:\Users\burns_000\Desktop>

What is the difference between AuditAdmin and AuditDelegate

This refers to the type of actions that are audited when either an Administrator or a Delegate accesses another persons mailbox.
For example, you may not care too much if a CEO’s Personal Assistant is reading their bosses email – as that is their job. So you wouldn’t want to audit common tasks such as replying to emails on behalf of their boss etc as it would fill up the audit log quite quickly. Alhough, you may be interested to see if the PA is deleting any messages.
It is a different story if your Exchange administrators are logging in to people’s mailboxes and moving messages around – this could be something you DO want to Audit.
You can use the AuditDelegate and AuditAdmin switches to set these differences in auditing levels.
So there you have it, all you need to know about enabling mailbox access auditing in Office 365. Next time we will be looking at how to view a report of who has accessed another persons mailbox.