Post date: May 01, 2015 10:29:32 AM
Many organisations have strict compliance rules around who can access which mailboxes. Some companies are even required to regularly audit the times and dates that someone has read another persons email. In fact, many years ago in one of my roles at a financial organisation every access to another persons mailbox was logged and had to be justified with a helpdesk ticket number!
Office 365 has the ability to monitor and record this type of access, but it requires you to specifically enable auditing on the mailboxes and it is disabled by default.
There is currently no way to enable mailbox auditing in Office 365 through the Administrative portal so you’ll have to connect to Office 365 using PowerShell.
Once you’re connected, you can enable auditing for a single user by running the following cmdlet:
Set-Mailbox user@domain.com -AuditEnabled $true
Obviously, you can disable auditing like this
Set-Mailbox user@domain.com -AuditEnabled $false
If you want to enable mailbox auditing for every one of your Office 365 users, you can run these this cmdlet. This will enabled mailbox auditing for all users with a mailbox (But not shared or resource mailboxes)
Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
Note: If you add a new mailbox some time after you run this cmdlet, it will receive the default state of having Auditing Disabled.
We can use the Get-Mailbox cmdlet to create a report of who has Mailbox auditing enabled or not.
Simply run the following cmdlet and you will see the output in table form
PS C:\Users\burns_000\Desktop> get-mailbox | select UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin UserPrincipalName AuditEnabled AuditDelegate AuditAdmin ----------------- ------------ ------------- ---------- adelle@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... adria@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... agustina@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... ahmad@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... alan@alantest5.onmicrosoft... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... alejandra@alantest5.onmicr... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... alena@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... alida@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... aline@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... alishia@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... althea@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... amberly@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... america@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... anamaria@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... andra@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... aracelis@alantest5.onmicro... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... ardella@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... ariane@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... arla@alantest5.onmicrosoft... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... arnita@alantest5.onmicroso... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... art@alantest5.onmicrosoft.com True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... ben@alantest5.onmicrosoft.com True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... chris@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... cynthia@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... david@alantest5.onmicrosof... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... DiscoverySearchMailbox{D91... False {Update, SoftDelete, HardD... {Update, Move, MoveToDelet... melissa@alantest5.onmicros... True {Update, SoftDelete, HardD... {Update, Move, MoveToDelet...
You can also filter to view only those who do not have mail auditing enabled:
PS C:\Users\burns_000\Desktop> get-mailbox -filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate UserPrincipalName AuditEnabled AuditDelegate ----------------- ------------ ------------- DiscoverySearchMailbox{D919BA05-46A6... False {Update, SoftDelete, HardDelete, Sen... ahmad@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen... ben@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen... adelle@alantest5.onmicrosoft.com False {Update, SoftDelete, HardDelete, Sen...
You can also switch the {AuditEnabled -eq $false} filter section to {AuditEnabled -eq $true} if you want to see a list of all Office 365 users who have Auditing enabled.
A common misconception is that all mailbox access is logged when you enable mailbox audit logging. This is not the case as you can see by the table below!
If you want to audit these additional events, you need to specify them directly when you enabled auditing. Unfortunately you can’t specify all actions for delegates, as you can see by this PowerShell error. It seems to work for Admins though.
PS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditDelegate MessageBindInvalid audit operation specified. Supported audit operations for Delegate are None, Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, and MoveToDeletedItems. + CategoryInfo : NotSpecified: (Microsoft.Excha...asks.SetMailbox:SetMailbox) [], RecipientTaskException + FullyQualifiedErrorId : [Server=DB3PR05MB123,RequestId=00000000-0000-0000-0000-000000000000,TimeStamp=26/06/2013 15:16:42] 7D1AF0B5 + PSComputerName : pod51049psh.outlook.comPS C:\Users\burns_000\Desktop> Set-Mailbox ben -AuditEnabled $false -AuditAdmin MessageBind PS C:\Users\burns_000\Desktop>
This refers to the type of actions that are audited when either an Administrator or a Delegate accesses another persons mailbox.
For example, you may not care too much if a CEO’s Personal Assistant is reading their bosses email – as that is their job. So you wouldn’t want to audit common tasks such as replying to emails on behalf of their boss etc as it would fill up the audit log quite quickly. Alhough, you may be interested to see if the PA is deleting any messages.
It is a different story if your Exchange administrators are logging in to people’s mailboxes and moving messages around – this could be something you DO want to Audit.
You can use the AuditDelegate and AuditAdmin switches to set these differences in auditing levels.