With the ever-growing need for additional security insights into your systems, especially mail, newer features are always being released by Microsoft to assist in identifying the threats to your environment. Say for example you have a user whose password has been compromised, and before you became aware and locked down the account, you believe changes could have been made. Normally in this situation most individuals would have to research changes that were made manually. Looking at mailbox rules, forwards, SMTP addresses and the like to determine what is different. Luckily with the addition of the Security & Compliance Center, as well as Mailbox Auditing, manual reviews are slowly becoming a thing of the past.

Mailbox Auditing is a feature that was added to Office 365 when the Security & Compliance Center was released. By default, mailbox auditing is not enabled in any tenant, meaning that any event happening to a user’s mailbox are not logged. To enable this on a single user or site-wide, you must do so using PowerShell commands.

How to Log into Your Tenant Using PowerShell

On your local computer, open Windows PowerShell and run the following command.

$UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type user name and password for an Office 365 global admin account, and then click OK.

Run the following command.

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic -AllowRedirection

Run the following command.

Import-PSSession $Session

How to Enable Mailbox Audit Logging

After connecting to Exchange Online via PowerShell, you can use one of the following two commands to either enable auditing on a single mailbox, or auditing for your entire organization.

This example enables mailbox audit logging for John Smith’s mailbox.

Set-Mailbox -Identity “Pilar Pinilla” -AuditEnabled $true

This example enables mailbox audit logging for all user mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

Specify Actions to Audit

As Microsoft would explain, when you enable auditing for a mailbox, only one action is enabled by default. This is the UpdateFolderPermissions parameter. To enable different owner actions on a mailbox, you will need to use the table below to determine what is required.

 

Action Description Admin Delegate*** Owner
Copy A message was copied to another folder. Yes No No
Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that creating, sending, or receiving a message isn’t audited. Also, creating a mailbox folder is not audited. Yes* Yes* Yes
FolderBind A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. Yes* Yes** No
HardDelete A message was purged from the Recoverable Items folder. Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes
MessageBind A message was viewed in the preview pane or opened. Yes No No
Move A message was moved to another folder. Yes* Yes Yes
MoveToDeletedItems A message was deleted and moved to the Deleted Items folder. Yes* Yes Yes
SendAs A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner. Yes* Yes* No
SendOnBehalf A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message. Yes* Yes No
SoftDelete A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder. Yes* Yes* Yes
Update A message or its properties was changed. Yes* Yes* Yes
UpdateCalendarDelegation A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner’s calendar. Yes* No Yes*
UpdateFolderPermissions A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders. Yes* Yes* Yes*

The following PowerShell example shows adding the MailboxLogin and HardDelete owner actions to a single mailbox. There commands will only work if mailbox auditing has already been enabled on this mailbox.

Set-Mailbox “John Smith” -AuditOwner @{Add=”MailboxLogin”,”HardDelete”}

The next example PowerShell shows how to add the MailboxLogin, HardDelete and SoftDelete owner actions to all mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditOwner @{Add=”MailboxLogin”,”HardDelete”,”SoftDelete”}

Finally, to confirm that you successfully enabled auditing on a mailbox you can run a PowerShell command to retrieve auditing settings.

Get-Mailbox “John Smith”| FL Audit*

To check all users:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | FL Name,Audit*

When the result pulls up make sure the AuditEnabled property is showing True.

How to Disable Mailbox Auditing

If for some reason you need to disable mailbox auditing on a mail account, you can use the PowerShell command below.

Set-Mailbox -Identity <identity of mailbox> -AuditEnabled $false

How to Search Audit Logs

Once auditing has been enabled, you can log into your Office 365 tenant and go to the Security & Compliance Center. Within this portal you will find an option called Audit Log Search. From there you can find reports like the ones in the screenshot below.

You will notice that the names of the reports closely match the ones in the Owner Actions table I provided earlier. For a one-to-one comparison of actions to reports, you can use the table below

 

Activity in the audit log Mailbox auditing action
Created mailbox item Create
Copied messages to another folder Copy
User signed in to mailbox MailboxLogin
Sent message using Send On Behalf permissions SendOnBehalf
Purged messages from the mailbox HardDelete
Moved messages to Deleted Items folder MoveToDeletedItems
Moved messages to another folder Move
Sent message using Send As permissions SendAs
Updated message Update
Deleted messages from Deleted Items folder SoftDelete

Please note that if a user mailbox is not enabled for a specific owner action, then you will unable to run the required report.

How to Export the Mailbox Audit Log

  1. In the Exchange admin center (EAC), go to Compliance Management > Auditing.
  2. Click Export mailbox audit logs.
  3. Configure the following search criteria for exporting the entries from the mailbox audit log:
    • Start and end dates   Select the date range for the entries to include in the exported file.
    • Mailboxes to search audit log for   Select the mailboxes to retrieve audit log entries for.
    • Type of non-owner access   Select one of the following options to define the type of non-owner access to retrieve entries for:
      • All non-owners   Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators in Exchange Online.
      • External users   Search for access by Microsoft datacenter administrators.
      • Administrators and delegated users   Search for access by administrators and delegated users inside your organization.
      • Administrators   Search for access by administrators in your organization.
    • Recipients   Select the users to send the mailbox audit log to.
  4. Click Export.

Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that you specified.

How to View the Mailbox Audit Log

  1. Sign in to the mailbox where the mailbox audit log was sent.
  2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the email message contains the search criteria.
  3. Click the attachment and select to download the XML file.
  4. Open the SearchResult.xml in Microsoft Excel.

Microsoft Articles

https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions

https://technet.microsoft.com/library/jj150552(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/dd638114(v=exchg.150).aspx