Manage Mailbox Audit using PowerShell | Office 365 5/5 (6) 17 min read

In the current article, we review the various aspects of “Exchange Online Audit option” using PowerShell commands.

PowerShell | Help & additional information

Running PowerShell commands in Office 365 based environment
To be able to run the PowerShell commands specified in the current article, you will need to create a remote PowerShell with Azure Active Directory or Exchange Online. In case that you need help with the process of creating a Remote PowerShell session, you can use the links on the bottom of the Article.

Basic information about the Exchange Audit option

The Exchange Online Audit feature is a very powerful tool that enables us to get detailed information about – each of the “actions” that performed in a specific Exchange mailbox.

The Audit information saved in a dedicated Log file, that stored in the mailbox (the Log file hidden from the mailbox owner).

Exchange Audit mailbox option is not “activated” by default.
The most common use of the Exchange Online Audit option is, in a scenario in which “something strange” is happening to a particular user mailbox. For example, mail or calendar meetings that deleted without the user’s (mailbox owner) knowledge, mail items that relocated to a different folder and so on.

In this type of scenario, to be able to understand what is going on “behind the scenes” we need to monitor each of the “events” that related to the specific Exchange mailbox. Using the information stored in the Exchange Audit log will enable us to see what are the exact actions that performed when the above actions are carried out and by whom.

Exchange Online support four types of Audit options:

1. Mailbox Owner Audit (AuditOwner)

This type of Audit will be “record” the different operations that the mailbox owner performs such as mail item deletion and the different type of mail item deletion – Soft Delete and Hard Delete, creation of mail items, movement of mail items, updating existing mail items and more.

2. Non-Owner (delegate) Audit (AuditDelegate)

This type of Audit is relevant in a scenario in which “other users” have permissions to a specific user mailbox. The “other” users defined as a delegate.

The audit information will include the same operation as the AuditOwner and in addition include other operations such as an event in which the delegate performs the action on – SendAs

3. Admin Audit (AuditAdmin)

This type of Audit will record “actions” that are performed by the Exchange Online Administrator. This type of Audit will relate to actions that the Exchange Online Administrator Performs directly on the particular user mailbox. For example, a scenario in which the Exchange Administrator uses PowerShell commands that search and deletes E-mail items from the user mailbox.

4. Office 365 Admin Audit (Search-AdminAuditLog)

This is a special Audit log that is enabled by default for Office 365 customers. The purpose of this Audit is to record each of the “Administrative actions” that are performed by the Exchange Online Administrator. For example, an action, such as assigned Full access permissions to “other users” of as a specific user mailbox, the actions of assigning Send As permission, adding or removing E-mail address and so on.

Using the Exchange Online Audit option

The use of the Exchange Online Audit can be a little confusing. For this reason, it is important that we understand that exact “flow” of actions that we should use for activating and using the Audit information.

  • Phase 1#3 – in this phase, we “Turn on” the Exchange “Audit flag” for a particular mailbox
  • Phase 2#3 – in this phase, we define the specific “actions” that we want to audit such as deletion of mail items and so on. If you need more information about the specific “actions” that we can define for each of the different Audit types, you can use the Table that I add at the bottom of the current article.
  • Phase 3#3 – in this phase, we “read” the Exchange Audit log. Technically, we use a PowerShell command that displays the Audit log content on the PowerShell console, but from my experience is not so easy to read the information.

The recommendation is to export the Audit log information to a file in a format such as CSV or HTML that will enable us to Understand better the information from the Exchange Audit log, Sort the information by filtering specific “actions” and so on.

Later in the article, I will provide some example of – how to export Audit log information to CSV file and HTML File format using CSS style , that will display the information in a prettier manner.

Enable Audit on Exchange Mailbox + Activate the Specific Audit option

Enable Audit on Exchange mailbox

PowerShell command syntax

PowerShell command example

Enable Audit on ALL Mailboxes (Bulk Mode)

PowerShell command example

Enable Owner Audit on Exchange mailbox

PowerShell command syntax

PowerShell command example

Enable Non-Owner (delegate) Audit on Exchange mailbox

PowerShell command syntax

PowerShell command example

Enable Admin Audit on Exchange mailbox

PowerShell command syntax

PowerShell command example


View Exchange mailbox Audit settings

View the Audit setting of Exchange mailbox

PowerShell command syntax

PowerShell command example

PowerShell console output example

View Audit parameters of – AuditOwner (expand)

PowerShell command example

PowerShell console output example

View Audit parameters of – AuditAdmin (expand)

PowerShell command example

PowerShell console output example


View Audit log information

View Audit log information | All the Audit Types

PowerShell command syntax

PowerShell command example

PowerShell console output example

Display mailboxes which have Audit enabled

PowerShell command example

PowerShell console output example


Export Audit Log information to a file | CSV

Export All Audit types log to a CSV file

PowerShell command syntax

PowerShell command example

Export Audit information about specific event | Deletion event

PowerShell command syntax

PowerShell command example

Export Delegate + Owner + Admin log to a file filter the result by a specific date range | Last 30 days

PowerShell command example

Export Office 365 portal admin Audit log

PowerShell command example

Export Office 365 admin Audit log for a specific PowerShell cmdlet

PowerShell command example

Export Office 365 portal admin Audit log for “Admin actions” that was performed on a specific mailbox

PowerShell command example

Disable Audit

Disable Audit on Exchange mailbox

PowerShell command syntax

PowerShell command example

Disable Audit on ALL Mailboxes (Bulk Mode)

PowerShell command example

Additional Exchange Audit options

View information about the “Audit folder” (the Audit log store)

PowerShell command example

Enable Mailbox Audit Bypass Association

PowerShell command example

Set Audit retention – number of days

PowerShell command syntax

PowerShell command example

Export Audit log information to an HTML file using CSS style

In the following section, I provide more composed PowerShell syntax versus the former PowerShell command examples.
To be able to successfully use and execute this PowerShell script example, it’s recommended to use the following tips:

Tip 1#2 – Running the PowerShell script by using PowerShell ISE

Theoretically, you can copy the PowerShell code, and paste it to PowerShell console.
It’s logical to assume that you encounter many problems because, the “PowerShell console”
cannot handle “complicated” PowerShell code that includes spaces, remarks and so on.

To be able to work efficiently and easily with the attached PowerShell code, I strongly recommended using the graphic version of Windows PowerShell named ISE (Windows PowerShell Integrated Scripting Environment).
The ISE PowerShell should be installed by default on a modern window OS, or you can download an updated PowerShell version that includes the PowerShell ISE tool.

Tip 2#2 – using the attached Menu based PowerShell script

In case that you would like to avoid from “manual typing” of the PowerShell commands, at the Bottom of the article, you can find a link for a Menu based PowerShell script that I write that was created for simplifying the task of connecting to Exchange Online using remote PowerShell + using most of the PowerShell command that appear in the article.

Export Audit log information to an HTML file Specific Exchange mailbox

PowerShell command example

Export Audit information on a ALL Mailboxes (Bulk Mode)

The following PowerShell script will run a “loop” on all existing Exchange Online mailboxes (Bulk mode), and for each Exchange Online mailbox get the following Audit information:

  • Owner Audit
  • Delegate Audit
  • Admin Audit

The PowerShell script will perform the following tasks:

  • The information will be exported to two type file formats: CSV and HTML.
  • The script is configured to store the exported files in the following path: C:\INFO\Audit Report
  • A separate folder will be created for each of the Exchange Online recipients.
  • The folder name will be the Exchange recipient Alias name.

PowerShell command example

Mailbox actions logged by mailbox audit logging

ActionDescriptionAdminDelegate***Owner
CopyA message was copied to another folder.YesNoNo
CreateAn item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited.Yes*Yes*Yes
FolderBindA mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.Yes*Yes**No
HardDeleteA message was purged from the Recoverable Items folder.Yes*Yes*Yes
MailboxLoginThe user signed in to their mailbox.NoNoYes
MessageBindA message was viewed in the preview pane or opened.YesNoNo
MoveA message was moved to another folder.Yes*YesYes
MoveToDeletedItemsA message was deleted and moved to the Deleted Items folder.Yes*YesYes
SendAsA message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.Yes*Yes*No
SendOnBehalfA message was sent using the
SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.
Yes*YesNo
SoftDeleteA message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.Yes*Yes*Yes
UpdateA message or its properties was changed.Yes*Yes*Yes
[Source of information – Mailbox audit logging in Exchange 2016]

7. Download Audit PowerShell menu script

Manage Exchange Online mailbox Audit – o365info PowerShell script

Getting started with Office 365 PowerShell

PowerShell Naming Conventions & general information
Get more information about the Naming Conventions that are used in the PowerShell articles – Help and additional information – o365info.com PowerShell articles
Creating a remote PowerShell session to Exchange Online 
To get more information about the required remote PowerShell commands that you need to use for connecting to Exchange Online, read the following article:
Connect to Exchange Online by using Remote PowerShell
Creating a remote PowerShell session to Azure Active Directory
To get more information about the required software component + the remote PowerShell commands that you need to use for connecting Azure Active Directory, read the following article: Part 2: Connect to Office 365 by using Remote PowerShell
Basic introduction to PowerShell in Office 365 based environment
If you are new in the PowerShell world, you can read more information about how to start working with PowerShell in Office 365 based environment in the following article series:  Getting started with Office 365 PowerShell – Part 1, Part 2, Part 3 and Part 4.
Running and using o365info PowerShell scripts
In case that you need more information about how to use the o365info PowerShell scripts that I add to the PowerShell articles, you can read the article – How to run and use o365info PowerShell menu script

PowerShell command syntax – Office 365 | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article


Print Friendly, PDF & Email

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

One Response to “Manage Mailbox Audit using PowerShell | Office 365”

  1. carltonflintoff Reply

    An amazing blog post. Thanks for sharing this information !
    In my circumstance to audit non-owner mailbox accesses, I use an automated solution named Lepide auditor suite (http://www.lepide.com/lepideauditor/exchange.html ) that works great in my work-station. It helps to audit all the non-owner mailbox access and changes made in exchange mailboxes at granular level and provides the captured data into real time.

Leave a Reply

Your email address will not be published. Required fields are marked *