Quick Reference Guide

Exchange Online Mailbox Auditing

This quick reference guide shows how to enable logging of access to shared mailboxes
on Exchange Online

Mailbox Audit Logging

Enabling audit logging for a mailbox logs all access to that mailbox by Exchange Online administrators or users
with delegated permissions.
Connect to your Exchange Online server by running the following commands in PowerShell or
Exchange Management Shell (url2open.com/ems) as administrator:
$UserCredential = Get-Credential
$Session = New-PSSession -CongurationName Microsoft.Exchange -ConnectionUri https://outlook.oce365.com/
powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
To enable or disable mailbox audit logging granularly on each
mailbox (recommended), use the Set-Mailbox cmdlet:
To enable audit: Set-Mailbox Identity TestUser -AuditEnabled $true
To disable audit: Set-Mailbox Identity TestUser AuditEnabled $false
To enable audit for all users mailboxes, use this script:

Mailbox Actions
Logged:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq

'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Manage
Mailbox
Audit
via
Management Shell or PowerShell

Exchange

Check whether audit is enabled:

Get-Mailbox | FL Name,AuditEnabled #A value of True for the
AuditEnabled property veries that audit logging is enabled
Retrieve mailbox audit log entries for specied mailbox:
Search-MailboxAuditLog TestUser -LogonTypes Admin,Delegate -ShowDetails
Send all mailbox audit log entries to specied email address:
New-MailboxAuditLogSearch -StatusMailRecipients auditor@test.local
#Note that you will be asked for start and end dates

Manage Mailbox Audit via Exchange Admin

Center (EAC)
Review non-owner access to mailboxes with audit enabled:
Navigate to Compliance Management > Auditing and click Run a
non-owner mailbox access report.
View details about non-owner access to a specic mailbox: Click the
mailbox in the report.
Export mailbox audit logs: Navigate to Compliance Management >
Auditing and click Export mailbox audit logs.

Copy

Create
FolderBind
HardDelete
MessageBind
Move
MoveToDeletedItems
SendAs
SendOnBehalf
SoftDelete
Update

For more details about these actions,

please see url2open.com/mailboxaudit

Assigning the Audit

Logs Role to a User:
By default, only administrators have
access to audit logs.
To grant access to another user, use the
New-ManagementRoleAssignment cmdlet
(url2open.com/nmra).

Gain #completevisibility into changes and non-owner mailbox access in

hybrid cloud IT environments with Netwrix Auditor for Oce 365:
netwrix.com/go/trial-o365
Corporate Headquarters:

Phone: 1-949-407-5125

Int'l: 1-949-407-5125

300 Center Drive, Suite 1100, Irvine, CA 92618

Toll-free: 888-638-9749

EMEA: 44 (0) 203-318-0261

netwrix.com/social