• Download our FREE True Price of Office 365 Whitepaper
  • Give us a call: 877-788-1617

    Stay in the know with the MessageOps newsletter:

    Tech Tip: How to Enable Mailbox Auditing in Office 365

    mailbox auditing

    With the ever-growing need for additional security insights into your systems, especially mail, newer features are always being released by Microsoft to assist in identifying the threats to your environment. Say for example you have a user whose password has been compromised, and before you became aware and locked down the account, you believe changes could have been made. Normally in this situation most individuals would have to research changes that were made manually. Looking at mailbox rules, forwards, SMTP addresses and the like to determine what is different. Luckily with the addition of the Security & Compliance Center, as well as Mailbox Auditing, manual reviews are slowly becoming a thing of the past.

    Mailbox Auditing is a feature that was added to Office 365 when the Security & Compliance Center was released. By default, mailbox auditing is not enabled in any tenant, meaning that any event happening to a user’s mailbox are not logged. To enable this on a single user or site-wide, you must do so using PowerShell commands.

    How to Log into Your Tenant Using PowerShell

    On your local computer, open Windows PowerShell and run the following command.

    $UserCredential = Get-Credential

    In the Windows PowerShell Credential Request dialog box, type user name and password for an Office 365 global admin account, and then click OK.

    Run the following command.

    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic -AllowRedirection

    Run the following command.

    Import-PSSession $Session

    How to Enable Mailbox Audit Logging

    After connecting to Exchange Online via PowerShell, you can use one of the following two commands to either enable auditing on a single mailbox, or auditing for your entire organization.

    This example enables mailbox audit logging for John Smith’s mailbox.

    Set-Mailbox -Identity “Pilar Pinilla” -AuditEnabled $true

    This example enables mailbox audit logging for all user mailboxes in your organization.

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

    Specify Actions to Audit

    As Microsoft would explain, when you enable auditing for a mailbox, only one action is enabled by default. This is the UpdateFolderPermissions parameter. To enable different owner actions on a mailbox, you will need to use the table below to determine what is required.

    ActionDescriptionAdminDelegate***Owner
    CopyA message was copied to another folder.YesNoNo
    CreateAn item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that creating, sending, or receiving a message isn’t audited. Also, creating a mailbox folder is not audited.Yes*Yes*Yes
    FolderBindA mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.Yes*Yes**No
    HardDeleteA message was purged from the Recoverable Items folder.Yes*Yes*Yes
    MailboxLoginThe user signed in to their mailbox.NoNoYes
    MessageBindA message was viewed in the preview pane or opened.YesNoNo
    MoveA message was moved to another folder.Yes*YesYes
    MoveToDeletedItemsA message was deleted and moved to the Deleted Items folder.Yes*YesYes
    SendAsA message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.Yes*Yes*No
    SendOnBehalfA message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.Yes*YesNo
    SoftDeleteA message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.Yes*Yes*Yes
    UpdateA message or its properties was changed.Yes*Yes*Yes
    UpdateCalendarDelegationA calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner’s calendar.Yes*NoYes*
    UpdateFolderPermissionsA folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.Yes*Yes*Yes*

    The following PowerShell example shows adding the MailboxLogin and HardDelete owner actions to a single mailbox. There commands will only work if mailbox auditing has already been enabled on this mailbox.

    Set-Mailbox “John Smith” -AuditOwner @{Add=”MailboxLogin”,”HardDelete”}

    The next example PowerShell shows how to add the MailboxLogin, HardDelete and SoftDelete owner actions to all mailboxes in your organization.

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditOwner @{Add=”MailboxLogin”,”HardDelete”,”SoftDelete”}

    Finally, to confirm that you successfully enabled auditing on a mailbox you can run a PowerShell command to retrieve auditing settings.

    Get-Mailbox “John Smith”| FL Audit*

    To check all users:

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | FL Name,Audit*

    When the result pulls up make sure the AuditEnabled property is showing True.

    How to Disable Mailbox Auditing

    If for some reason you need to disable mailbox auditing on a mail account, you can use the PowerShell command below.

    Set-Mailbox -Identity <identity of mailbox> -AuditEnabled $false

     How to Search Audit Logs

    Once auditing has been enabled, you can log into your Office 365 tenant and go to the Security & Compliance Center. Within this portal you will find an option called Audit Log Search. From there you can find reports like the ones in the screenshot below.

    You will notice that the names of the reports closely match the ones in the Owner Actions table I provided earlier. For a one-to-one comparison of actions to reports, you can use the table below

    Activity in the audit logMailbox auditing action
    Created mailbox itemCreate
    Copied messages to another folderCopy
    User signed in to mailboxMailboxLogin
    Sent message using Send On Behalf permissionsSendOnBehalf
    Purged messages from the mailboxHardDelete
    Moved messages to Deleted Items folderMoveToDeletedItems
    Moved messages to another folderMove
    Sent message using Send As permissionsSendAs
    Updated messageUpdate
    Deleted messages from Deleted Items folderSoftDelete

    Please note that if a user mailbox is not enabled for a specific owner action, then you will unable to run the required report.

    How to Export the Mailbox Audit Log

    1. In the Exchange admin center (EAC), go to Compliance Management > Auditing.
    2. Click Export mailbox audit logs.
    3. Configure the following search criteria for exporting the entries from the mailbox audit log:
      • Start and end dates   Select the date range for the entries to include in the exported file.
      • Mailboxes to search audit log for   Select the mailboxes to retrieve audit log entries for.
      • Type of non-owner access   Select one of the following options to define the type of non-owner access to retrieve entries for:
        • All non-owners   Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators in Exchange Online.
        • External users   Search for access by Microsoft datacenter administrators.
        • Administrators and delegated users   Search for access by administrators and delegated users inside your organization.
        • Administrators   Search for access by administrators in your organization.
      • Recipients   Select the users to send the mailbox audit log to.
    4. Click Export.

    Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that you specified.

    How to View the Mailbox Audit Log

    1. Sign in to the mailbox where the mailbox audit log was sent.
    2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the email message contains the search criteria.
    3. Click the attachment and select to download the XML file.
    4. Open the SearchResult.xml in Microsoft Excel.

    Microsoft Articles

    https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions

    https://technet.microsoft.com/library/jj150552(v=exchg.150).aspx

    https://technet.microsoft.com/en-us/library/dd638114(v=exchg.150).aspx

     

    Ready to get started? Contact us today to learn more.

    CONTACT US