Enable mailbox auditing in Office 365

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. To log (and then search for) additional actions, see Step 3.

Step 1: Connect to Exchange Online PowerShell

Step 2: Enable mailbox audit logging

Step 3: Specify owner actions to audit

How do you know this worked?

To learn more, see Mailbox audit logging

Step 1: Connect to Exchange Online PowerShell

On your local computer, open Windows PowerShell and run the following command.


                          $UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type user name and password for an Office 365 global admin account, and then click OK.

Run the following command.


                          $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic -AllowRedirection

Run the following command.


                          Import-PSSession $Session

To verify that you’re connected to your Exchange Online organization, run the following command to get a list of all the mailboxes in your organization.


                          Get-Mailbox

For more information or if you have problems connecting to your Exchange Online organization, see Connect to Exchange Online using remote PowerShell.

Return to top

Step 2: Enable mailbox audit logging

After you connect to your Exchange Online organization, use PowerShell to enable mailbox audit logging for a mailbox. Alternatively, you can enable mailbox auditing for all mailboxes in your organization.

This example enables mailbox audit logging for Pilar Pinilla’s mailbox.


                      Set-Mailbox -Identity "Pilar Pinilla" -AuditEnabled $true

This example enables mailbox audit logging for all user mailboxes in your organization.


                      Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Return to top

Step 3: Specify owner actions to audit

When you enable auditing for a mailbox, only one action (UpdateFolderPermissions) performed by the mailbox owner is audited by default. You have to specify other owner actions to audit. See the table in the "Mailbox actions" section for a list and description of owner actions that can be audited.

This example adds the MailboxLogin and HardDelete owner actions to mailbox auditing for Pilar Pinilla's mailbox. This example assumes that mailbox auditing has already been enabled for this mailbox.


                      Set-Mailbox "Pilar Pinilla" -AuditOwner @{Add="MailboxLogin","HardDelete"}

This example enables mailbox audit logging for Don Hall's mailbox and specifies that only the MailboxLogin action performed by the mailbox owner will be logged. Note that this example overwrites the default UpdateFolderPermissions action.


                      Set-Mailbox "Don Hall" -AuditEnabled $true -AuditOwner MailboxLogin

This example adds the MailboxLogin, HardDelete, and SoftDelete owner actions to all mailboxes in the organization. This example assumes that mailbox auditing has already been enabled for all mailboxes.


                      Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete"}

Return to top

How do you know this worked?

To verify that you have successfully enabled mailbox audit logging for a mailbox, use the Get-Mailbox cmdlet to retrieve the auditing settings for that mailbox.

This example retrieves the auditing settings for Pilar Pinilla.


                      Get-Mailbox "Pilar Pinilla"| FL Audit*

This example retrieves the auditing settings for all user mailboxes in your organization.


                      Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit*

A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.

Return to top

After you enable mailbox audit logging for a mailbox, access to the mailbox and certain admin and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions to audit. See the "More info" section to see a list of actions that are logged after mailbox audit logging is enabled, and which actions are available for each type of user logon.
You have to use Exchange Online PowerShell to enable mailbox audit logging. You can't use the Office 365 Security & Compliance Center or the Exchange admin center.
An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

The following table lists the actions that can be logged by mailbox audit logging. The table includes which action can be logged for the different user logon types. In the table, a No indicates that an action can't be logged for that logon type. An asterisk (*) indicates that the action is logged by default when mailbox audit logging is enabled for the mailbox. As previously stated, the only owner action audited by default when you turn on mailbox auditing is UpdateFolderPermissions. To log other actions taken by the mailbox owner, you must specify additional owner actions to audit. To do this, see Step 3 in the "Step-by-step instructions" section in this topic.

Action	Description	Admin	Delegate***	Owner
Copy	A message was copied to another folder.	Yes	No	No
Create	An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.	Yes*	Yes*	Yes
FolderBind	A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.	Yes*	Yes**	No
HardDelete	A message was purged from the Recoverable Items folder.	Yes*	Yes*	Yes
MailboxLogin	The user signed in to their mailbox.	No	No	Yes
MessageBind	A message was viewed in the preview pane or opened.	Yes	No	No
Move	A message was moved to another folder.	Yes*	Yes	Yes
MoveToDeletedItems	A message was deleted and moved to the Deleted Items folder.	Yes*	Yes	Yes
SendAs	A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.	Yes*	Yes*	No
SendOnBehalf	A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.	Yes*	Yes	No
SoftDelete	A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.	Yes*	Yes*	Yes
Update	A message or its properties was changed.	Yes*	Yes*	Yes
UpdateCalendarDelegation	A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.	Yes*	No	Yes*
UpdateFolderPermissions	A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.	Yes*	Yes*	Yes*

Notes:

^* Audited by default if auditing is enabled for a mailbox.
^** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.
^*** An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the 90-day age limit for audit log entries is reached.

Use the Office 365 audit log to search for mailbox activity that have been logged. You can search for activity for a specific user mailbox. The following screenshot shows a list of mailbox activities that you can search for in the Office 365 audit log. Note that these activities are the same actions that are described in the "Mailbox auditing actions" section in this topic.

You can search the Office 365 audit log for mailbox audit actions by selecting "Exchange mailbox activities" in Activities drop-down list

The following table describes each mailbox activity that you can search for and shows the corresponding mailbox auditing action.

Activity in the audit log	Mailbox auditing action
Created mailbox item	Create
Copied messages to another folder	Copy
User signed in to mailbox	MailboxLogin
Sent message using Send On Behalf permissions	SendOnBehalf
Purged messages from the mailbox	HardDelete
Moved messages to Deleted Items folder	MoveToDeletedItems
Moved messages to another folder	Move
Sent message using Send As permissions	SendAs
Updated message	Update
Deleted messages from Deleted Items folder	SoftDelete

Note that the Added delegate mailbox permissions and Removed delegate mailbox permissions activities shown in the previous screenshot aren't related to mailbox auditing actions. They indicate whether an administrator assigned or removed the FullAccess mailbox permission.

For information about the Office 365 audit log, see Search the audit log in the Office 365 Security & Compliance Center.

Mailboxes are considered to be accessed by an administrator only in the following scenarios:
- In-Place eDiscovery in Exchange Online or Content Search in Office 365 is used to search a mailbox.
- Microsoft Exchange Server MAPI Editor is used to access the mailbox.
When you enable audit logging for a mailbox, you can also specify which user actions (for example, accessing, moving, or deleting a message) will be logged for each logon type (admin, delegate, or owner).

To disable mailbox audit logging, run the following command:


                        Set-Mailbox -Identity <identity of mailbox> -AuditEnabled $false

The actions that are audited for each type of user aren't displayed when you run the Get-Mailbox cmdlet. But you can run the following commands to display all the audited actions for a specific user logon type.


                        Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditAdmin


                        Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditDelegate


                        Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditOwner

You can also export a mailbox audit log and specify the entries to include for one or more users. Each entry in the report and the audit log includes information about who performed the action and when, the action performed , and whether the action was successful. For more information, see Export mailbox audit logs.

Enable mailbox auditing in Office 365

Step 1: Connect to Exchange Online PowerShell

Step 2: Enable mailbox audit logging

Step 3: Specify owner actions to audit

How do you know this worked?

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.