Enable mailbox auditing in Office 365

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log audit log for mailbox activity. But after you turn on mailbox audit logging for a mailbox, you can search the Office 365 audit log audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, actions performed by administrators and delegates are logged by default. However, actions performed by the mailbox owner aren't audited by default. To log (and then search for) actions performed by mailbox owners, you have to specify the owner actions to audit (see Step 3).

Step 1: Connect to Exchange Online PowerShell

Step 2: Enable mailbox audit logging

Step 3: Specify owner actions to audit

How do you know this worked?

To learn more, see Mailbox audit logging

Step 1: Connect to Exchange Online PowerShell

  1. On your local computer, open Windows PowerShell and run the following command.

    $UserCredential = Get-Credential

    In the Windows PowerShell Credential Request dialog box, type user name and password for an Office 365 global admin account, and then click OK.

  2. Run the following command.

    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic -AllowRedirection
  3. Run the following command.

    Import-PSSession $Session
  4. To verify that you’re connected to your Exchange Online organization, run the following command to get a list of all the mailboxes in your organization.

    Get-Mailbox

For more information or if you have problems connecting to your Exchange Online organization, see Connect to Exchange Online using remote PowerShell.

Return to top

Step 2: Enable mailbox audit logging

After you connect to your Exchange Online organization, use PowerShell to enable mailbox audit logging for a mailbox. Alternatively, you can enable mailbox auditing for all mailboxes in your organization.

This example enables mailbox audit logging for Pilar Pinilla’s mailbox.

Set-Mailbox -Identity "Pilar Pinilla" -AuditEnabled $true

This example enables mailbox audit logging for all user mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Return to top

Step 3: Specify owner actions to audit

When you enable auditing for a mailbox, actions performed by the mailbox owner aren't audited by default. You have to specify which owner actions to audit. See the table in the "Mailbox actions" section for a list and description of owner actions that can be audited.

This example specifies that the MailboxLogin and HardDelete actions performed by the mailbox owner will be logged for Pilar Pinilla's mailbox. This example assumes that mailbox audit logging has already been enabled for this mailbox.

Set-Mailbox "Pilar Pinilla" -AuditOwner MailboxLogin,HardDelete

This example enables mailbox audit logging for Don Hall's mailbox and specifies that only the MailboxLogin action performed by the mailbox owner will be logged.

Set-Mailbox "Don Hall" -AuditEnabled $true -AuditOwner MailboxLogin

This example specifies that the MailboxLogin, HardDelete, and SoftDelete actions performed by the mailbox owner will be logged for all mailboxes in the organization. This example assumes that mailbox audit logging has already been enabled for all mailboxes.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner MailboxLogin,HardDelete,SoftDelete

Return to top

How do you know this worked?

To verify that you have successfully enabled mailbox audit logging for a mailbox, use the Get-Mailbox cmdlet to retrieve the auditing settings for that mailbox.

This example retrieves the auditing settings for Pilar Pinilla.

Get-Mailbox "Pilar Pinilla"| FL Audit*

This example retrieves the auditing settings for all user mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit*

A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.

Return to top

  • After you enable mailbox audit logging for a mailbox, access to the mailbox and certain admin and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions to audit. See the "More info" section to see a list of actions that are logged after mailbox audit logging is enabled, and which actions are available for each type of user logon.

  • You have to use Exchange Online PowerShell to enable mailbox audit logging. You can't use the Office 365 Security & Compliance Center or the Exchange admin center.

  • An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

The following table lists the actions that can be logged by mailbox audit logging. The table includes which action can be logged for the different user logon types. In the table, a No indicates that an action can't be logged for that logon type. An asterisk (*) indicates that the action is logged by default when mailbox audit logging is enabled for the mailbox. As previously stated, no owner actions are audited by default when you turn on mailbox auditing. To log actions taken by the mailbox owner, you must specify which owner actions to audit. To do this, see Step 3 in the "Step-by-step instructions" section in this topic.

Action

Description

Admin

Delegate***

Owner

Copy

A message was copied to another folder.

Yes

No

No

Create

An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.

Yes*

Yes*

Yes

FolderBind

A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.

Yes*

Yes**

No

HardDelete

A message was purged from the Recoverable Items folder.

Yes*

Yes*

Yes

MailboxLogin

The user signed in to their mailbox.

No

No

Yes

MessageBind

A message was viewed in the preview pane or opened.

Yes

No

No

Move

A message was moved to another folder.

Yes*

Yes

Yes

MoveToDeletedItems

A message was deleted and moved to the Deleted Items folder.

Yes*

Yes

Yes

SendAs

A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.

Yes*

Yes*

No

SendOnBehalf

A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.

Yes*

Yes

No

SoftDelete

A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.

Yes*

Yes*

Yes

Update

A message or its properties was changed.

Yes*

Yes*

Yes

Notes: 

  • *  Audited by default if auditing is enabled for a mailbox.

  • **  Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.

  • ***  An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the 90-day age limit for audit log entries is reached.

  • Use the Office 365 audit log to search for mailbox activity that have been logged. You can search for activity for a specific user mailbox. The following screenshot shows a list of mailbox activities that you can search for in the Office 365 audit log. Note that these activities are the same actions that are described in the "Mailbox auditing actions" section in this topic.

    You can search the Office 365 audit log for mailbox audit actions by selecting "Exchange mailbox activities" in Activities drop-down list

    The following table describes each mailbox activity that you can search for and shows the corresponding mailbox auditing action.

    Activity in the audit log

    Mailbox auditing action

    Created mailbox item

    Create

    Copied messages to another folder

    Copy

    User signed in to mailbox

    MailboxLogin

    Sent message using Send On Behalf permissions

    SendOnBehalf

    Purged messages from the mailbox

    HardDelete

    Moved messages to Deleted Items folder

    MoveToDeletedItems

    Moved messages to another folder

    Move

    Sent message using Send As permissions

    SendAs

    Updated message

    Update

    Deleted messages from Deleted Items folder

    SoftDelete

    Note that the Added delegate mailbox permissions and Removed delegate mailbox permissions activities shown in the previous screenshot aren't related to mailbox auditing actions. They indicate whether an administrator assigned or removed the FullAccess mailbox permission.

    For information about the Office 365 audit log, see Search the audit log in the Office 365 Security & Compliance Center.

  • Mailboxes are considered to be accessed by an administrator only in the following scenarios:

  • When you enable audit logging for a mailbox, you can also specify which user actions (for example, accessing, moving, or deleting a message) will be logged for each logon type (admin, delegate, or owner).

  • To disable mailbox audit logging, run the following command:

    Set-Mailbox -Identity <identity of mailbox> -AuditEnabled $false
  • The actions that are audited for each type of user aren't displayed when you run the Get-Mailbox cmdlet. But you can run the following commands to display all the audited actions for a specific user logon type.

    Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditAdmin
    
    Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditDelegate
    
    Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditOwner
    
  • You can also export a mailbox audit log and specify the entries to include for one or more users. Each entry in the report and the audit log includes information about who performed the action and when, the action performed , and whether the action was successful. For more information, see Export mailbox audit logs.

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×