Enable Mailbox Auditing in Office 365 Users using PowerShell

Auditing mailbox activities play a vital role in security and compliance. Mailbox auditing allows you to track user’s actions on their own mailbox and others’ mailboxes. So, you can track who logs on to the mailbox and what operations are performed. 

Things to Know Before Enabling Mailbox Audit log: 
  • Everyone believes that Mailbox auditing is enabled in Office 365 by default. But that is not 100% true. Only specific actions are audited by default.
  • Mailbox audit log includes actions performed by administrators, delegates, and owners.        
    • Owner Audit – Activities done by the mailbox owner  
    • Delegate Audit – Actions performed by the user with full access, send as or send on behalf permission on mailbox and admin with full access permission to a mailbox.  
    • Admin Audit – When Microsoft eDiscovery tools search the mailbox. 
  • Specific audit actions do not apply to delegate or admin roles.
  • By default, mailbox audit log entries are retained for 90 days. You can change this period using the AuditLogAgeLimit’ parameter. 

 

Enable Mailbox Audit Logging in Office 365: 

You can’t use the Exchange Admin Center to enable or disable mailbox audit logging. You have to use the PowerShell cmdlets.

In this blog, we will show you how to easily enable mailbox audit logging for Office 365 mailbox. We will show multiple methods, and you can choose the one that’s easier for you.  

1. (Recommeded) Method 1: Quickly enable mailbox auditing for Office 365 users (PowerShell script)  

2.Method 2: Enable mailbox audit logging in Office 365 (Mailbox based)  

        Enable mailbox audit logging for a specific mailbox  

        Enable mailbox audit logging for all mailboxes  

3.Method 3: Enable mailbox auditing in Office 365 by default (Tenant wide)  

        Verify whether the mailbox audit logging is enabled by default  

        How to opt-out of default mailbox auditing  

        Bypass a user account from mailbox audit logging  

4.More cmdlets to configure mailbox audit logging  

5.What actions are logged in the mailbox audit log

 

Method 1: Quickly Enable Mailbox Auditing for Office 365 Users (PowerShell Script) 

I have written a script to take care of every nuance in enabling Office 365 mailbox auditing. You can just run a script to enable all applicable actions on all mailboxes in your environment. If required, you shall enable the auditing only for specific mailbox actions. 

 

You can Download the script from TechNet gallery. 

 

Script Highlights: 

  • You can enable mailbox audit logging for all mailboxes using single cmdlet 
  • This script allows you to enable mailbox auditing for all mailbox actions or set of actions 
  • The script can be executed with MFA enabled account also. 
  • This script automatically installs Exchange Online PowerShell Module upon your confirmation 

 

How to execute “Enable Mailbox Auditing in Office 365 PowerShell Script” 

This PowerShell script supports multiple parameters/switches for more granular configuration. We have listed some of the usecases below. 

 

1.Enable Mailbox Audit Logging for all Office 365 Mailboxes: 

To turn on mailbox audit logging for all mailboxes with all supported mailbox actions, execute the script as follows: 

Now, all mailbox actions are audited for all logon types. 

Enable mailbox auditing for all office 365 users

 

2.Turn on Mailbox Audit Logging for Specific Mailbox Actions: 

If you don’t want to enable mailbox audit logging for mailbox actions, you can enable mailbox audit logging for set of mailbox actions. To specify list of mailbox actions, you can use –Operations param. 

Above script enables mailbox auditing for SendAs,ApplyRecord and Copy actions. You can choose whatever actions that you need to audit.

Enable mailbox auditing for all mailbox actions

 

Note: SendAs action available for Admin and Delegate audit and Copy action available for Admin audit only. So, the above cmdlet enables following actions. 

Admin audit – SendAs,ApplyRecord,Copy 

Delegate audit – SendAs,ApplyRecord 

Owner audit – ApplyRecord. 

 

3. Enable Audit for Mailbox Logins: 

Logons are the one common activity in most attack patterns. Since mailbox logins are not audited by default, you need to configure audit logging to capture mailbox login events. To enable auditing for mailbox logins, run the script as shown below. 

Enable audit for mailbox login

 

4.Enable Mailbox Audit Logging in Office 365 with MFA: 

If you want to turn on mailbox audit logging using MFA enabled account, run the script –MFA switch. 

If Exchange Online PowerShell (EXO) module is not installed, the script automatically installs EXO module upon your confirmation.

 

5.PowerShell Script to Enable Mailbox Auditing in Office 365 

You can pass the credential as parameter to connect Exchange Online. So, you can use this PowerShell script in Task scheduler. 

 

Method 2: Enable Mailbox Auditing in Office 365 (Mailbox based) 

When you enable mailbox audit logging for a mailbox, actions performed by administrators, delegates, and owners are logged by default. Set-Mailbox cmdlet is used to enable or disable audit logging for mailbox. 

Note: To enable mailbox audit logging, you need to connect Exchange Online PowerShell. If your account is MFA enabled, you can connect Exchange Online PowerShell through EXO module.

 

Enable Mailbox Audit Logging for Specific Mailbox:  

To enable mailbox audit logging, run the Set-Mailbox cmdlet with AuditEnabled value set to $True. 

Above example enables mailbox audit log for Kathy’s mailbox. 

 

This code disables mailbox audit log for Kathy’s mailbox. 

 

Enable Mailbox Audit Logging for All Users: 

To enable mailbox audit logging for all mailboxes, run the below code: 

This will enable mailbox auditing for each mailbox available in Office 365 environment.

 

Method 3: Enable Mailbox Audit Logging for Office 365 by Default (Tenant-wide) 

Instead of mailbox specific settings, Microsoft launched tenant-wide audit Logging configuration. This feature enables mailbox auditing by default. i.e., Exchange automatically audits set of actions performed by admin, delegate, and owner for all user mailboxes, Office 365 group mailboxes, and shared mailboxes.  

Note:   

  • When Microsoft releases a new action, the action (precisely, actions that help you to protect your organization) is automatically added to the actions that are audited by default.  
  • If you had customized the mailbox actions to audit before ‘mailbox auditing ON by default was enabled’, the personalized settings are preserved, and default mailbox actions are not overwritten.  

Verify Whether the Mailbox Audit Logging is Enabled by Default 

To check the configuration, run the Get-OrganizationConfig cmdlet  

By default, the AuditDisabled value is $False. I.e., audits are tracked. Even if the AuditEnabled (retrieved from Get-Mailbox) setting for the mailbox is $false, the default set of actions are audited. 

 

How to Opt-out of Default Mailbox Auditing? 

To stop capturing mailbox audit log for tenant-wide, run the Set-OrganizationConfig cmdlet with AuditDisabled setting is true.  

The above cmdlet, disables default mailbox audit logging for all mailboxes. 

 

Bypass a User Account from Mailbox Audit Logging: 

When your organization turned on the ‘enable mailbox audit logging by default’, the mailbox audits are logged even when the mailbox’s AuditEnabled setting was false. Still, you can disable mailbox audit logging for specific mailboxes.  

You can configure a mailbox to bypass mailbox audit logging, so actions taken by that account aren’t logged. By bypassing authorized accounts/trusted accounts that need frequent access to mailboxes, you can reduce the flood of audit entries.  

Use the Set-MailboxAuditBypassAssociation cmdlet to configure the mailbox audit logging bypass. 

 

Enable ‘mailbox audit logging bypass’ for an account: 

To bypass a user account from mailbox audit logging, run the below cmdlet: 

This example bypasses the Kathy account from the mailbox audit logging 

 

Disable ‘mailbox audit logging bypass’ for an account: 

To disable ‘mailbox audit bypass’, run Set-MailboxAuditBypassAssociation cmdlet with AuditBypassEnabled setting false.  

This example removes the bypass association for the Kathy account. 

 

Checking mailbox associations: 

To check mailbox audit bypass associations, run the below cmdlet 

Above cmdlet will retrieve all user accounts configured for mailbox audit logging bypass. 

 

Additional Cmdlets to Configure Mailbox Audit Logging: 

1.Configure mailbox audit logging settings for specific logon type (owner, admin or delegate) 

This example lists SendAs and SendOnBehalf actions performed by delegate users will be logged for Kathy’s mailbox. 

 

2.Configure mailbox audit logging for specific actions (Copy, FolderBindHardDelete, etc. 

Above cmdlet audits HardeDelete and SoftDelete actions performed by all logon type. 

 

3.Configure mailbox audit logging to append actions, without overwriting the existing list 

If you run above two cmdlets, it will overwrite the existing lists. If you want to append actions to an existing list, run the below code. 

Consider, AuditDelegate has already configured to audit HardDelete and SoftDelete for Kathy. 

This example appends SendAs and SendOnBehalf actions to existing HardDelete and SoftDelete actions.

 

4. Increase retention period for audit logs

By default, mailbox audit logs are kept for 90 days. If you want to keep the audit log for more than 90 days, you need to increase ‘AuditLogAgeLimit’. 

This example increases the age limit for mailbox audit log entries in Kathy’s mailbox to 365 days.

 

5.How do you know this worked?

To verify that you have successfully configured the mailbox audit logging, use the Get-Mailbox cmdlet 

Configure mailbox audit logging

The output shows AuditEnabledAuditLogAgeLimit, actions configured for administrator, delegate, and owner.

 

6.Display the mailbox actions that are being logged on for each logon type

When the mailbox has multiple actions for each logon type, then all the actions are displayed using the last cmdlet. It will be shown as the screenshot below. 

Display mailbox audit configuration

To display all actions that logged for specific logon type, use the ExpandProperty parameter. 

Here, the example lists actions that audited for AuditDelegate logon type. 

Enable mailbox audit log for Office 365 Mailbox

 

What Actions are Logged in the Mailbox Audit Log? 

After enabling the mailbox audit log, you can search audit logs using Search-MailboxAuditLog cmdlet. 

The audit log gives the following information 

  1. Who accessed the mailbox and when? 
  2. What operations are performed? 
  3. The affected message and its folder location 
  4. Operation status. I.e. whether the action was succeeded or failed 

The following image describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes. 

Enable audit log for mailbox

A check mark (tick) indicates the mailbox actions that can be logged for the logon type (some actions are available only for specific logon type) 

An asterisk (*) after the check mark indicates the mailbox actions that are logged by default when default audit logging is enabled. 

 

In this blog, we have seen how to enable mailbox auditing through PowerShell. What’s your preferred approach when it comes to mailbox auditing? Let us know your thoughts in the comments section.