In the current article, we will review how to use the PowerShell commands for managing…
Manage Mailbox Audit using PowerShell | Office 365
In the current article, we review the various aspects of “Exchange Online Audit option” using PowerShell commands.
Table of contents
- Connect to Exchange Online Protection
- Basic information about the Exchange Audit option
- Using the Exchange Online Audit option
- Enable Audit on Exchange Mailbox + Activate the Specific Audit option
- View Exchange mailbox Audit settings
- View Audit log information
- Export Audit Log information to CSV file
- Export All Audit types log to a CSV file
- Export Audit information about specific event | Deletion event
- Export Delegate + Owner + Admin log to a file filter the result by a specific date range | Last 30 days
- Export Office 365 portal admin Audit log
- Export Office 365 admin Audit log for a specific PowerShell cmdlet
- Export Office 365 portal admin Audit log for “Admin actions” that was performed on a specific mailbox
- Disable Audit
- Additional Exchange Audit options
- Export Audit log information to an HTML file using CSS style
Connect to Exchange Online Protection
To be able to run the PowerShell commands specified in the current article, you will need to Connect to Exchange Online PowerShell.
Start Windows PowerShell as administrator and run the cmdlet Connect-ExchangeOnline.
Connect-ExchangeOnline
Basic information about the Exchange Audit option
The Exchange Online Audit feature is a very powerful tool that enables us to get detailed information about – each of the “actions” that performed in a specific Exchange mailbox.
The Audit information saved in a dedicated Log file, that stored in the mailbox (the Log file hidden from the mailbox owner).
Exchange Audit mailbox option is not “activated” by default.
The most common use of the Exchange Online Audit option is, in a scenario in which “something strange” is happening to a particular user mailbox. For example, mail or calendar meetings that deleted without the user’s (mailbox owner) knowledge, mail items that relocated to a different folder and so on.
In this type of scenario, to be able to understand what is going on “behind the scenes” we need to monitor each of the “events” that related to the specific Exchange mailbox. Using the information stored in the Exchange Audit log will enable us to see what are the exact actions that performed when the above actions are carried out and by whom.
Exchange Online support four types of Audit options:
1.Mailbox Owner Audit (AuditOwner)
This type of Audit will be “record” the different operations that the mailbox owner performs such as mail item deletion and the different type of mail item deletion – Soft Delete and Hard Delete, creation of mail items, movement of mail items, updating existing mail items and more.
2. Non-Owner (delegate) Audit (AuditDelegate)
This type of Audit is relevant in a scenario in which “other users” have permissions to a specific user mailbox. The “other” users defined as a delegate.
The audit information will include the same operation as the AuditOwner and in addition include other operations such as an event in which the delegate performs the action on – SendAs
3. Admin Audit (AuditAdmin)
This type of Audit will record “actions” that are performed by the Exchange Online Administrator. This type of Audit will relate to actions that the Exchange Online Administrator Performs directly on the particular user mailbox. For example, a scenario in which the Exchange Administrator uses PowerShell commands that search and deletes E-mail items from the user mailbox.
4. Office 365 Admin Audit (Search-AdminAuditLog)
This is a special Audit log that is enabled by default for Office 365 customers. The purpose of this Audit is to record each of the “Administrative actions” that are performed by the Exchange Online Administrator. For example, an action, such as assigned Full access permissions to “other users” of as a specific user mailbox, the actions of assigning Send As permission, adding or removing E-mail address and so on.
Using the Exchange Online Audit option
The use of the Exchange Online Audit can be a little confusing. For this reason, it is important that we understand that exact “flow” of actions that we should use for activating and using the Audit information.
- Phase 1#3 – in this phase, we “Turn on” the Exchange “Audit flag” for a particular mailbox.
- Phase 2#3 – in this phase, we define the specific “actions” that we want to audit such as deletion of mail items and so on. If you need more information about the specific “actions” that we can define for each of the different Audit types, you can use the table I added at the bottom of the current article.
- Phase 3#3 – in this phase, we “read” the Exchange Audit log. Technically, we use a PowerShell command that displays the Audit log content on the PowerShell console, but from my experience is not so easy to read the information.
The recommendation is to export the Audit log information to a file in a format such as CSV or HTML that will enable us to understand better the information from the Exchange Audit log, Sort the information by filtering specific “actions” and so on.
Later in the article, I will provide some example of – how to export Audit log information to CSV file and HTML File format using CSS style , that will display the information in a prettier manner.
Enable Audit on Exchange Mailbox + Activate the Specific Audit option
Enable Audit on Exchange mailbox
PowerShell command syntax:
Set-Mailbox <Identity> -AuditEnabled $True
PowerShell command example:
Set-Mailbox "Bob" -AuditEnabled $True
Enable Audit on ALL Mailboxes (Bulk Mode)
PowerShell command example:
Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $True}
Enable Owner Audit on Exchange mailbox
PowerShell command syntax:
Set-Mailbox <Identity> -AuditOwner <required parameters>
PowerShell command example:
Set-Mailbox "Bob" -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
Enable Non-Owner (delegate) Audit on Exchange mailbox
PowerShell command syntax:
Set-Mailbox <Identity> -AuditDelegate <required parameters>
PowerShell command example:
Set-Mailbox "Bob" -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SoftDelete,Update
Enable Admin Audit on Exchange mailbox
PowerShell command syntax:
Set-Mailbox <Identity> -AuditAdmin <required parameters>
PowerShell command example:
Set-Mailbox "Bob" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
View Exchange mailbox Audit settings
View the Audit setting of Exchange mailbox
PowerShell command syntax:
Get-Mailbox <Identity> | FL Audit*
PowerShell command example:
Get-Mailbox "Bob" | FL Audit*
PowerShell console output example:
PS C:\script> Get-Mailbox "Bob" | FL Audit*
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Copy, Move, MoveToDeletedItems...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete...}
View Audit parameters of – AuditOwner (expand)
PowerShell command example:
Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditOwner
PowerShell console output example:
Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditOwner
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
View Audit parameters of – AuditAdmin (expand)
PowerShell command example:
Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditAdmin
PowerShell console output example:
Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditAdmin
Update
Copy
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
MessageBind
Create
View Audit log information
View Audit log information | All the Audit Types
PowerShell command syntax:
Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails
PowerShell command example:
Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails
PowerShell console output example:
Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails
RunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f
Operation : FolderBind
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFRAAAB
FolderPathName : \Sync Issues\Conflicts
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 93.172.209.9
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.7369.6540
InternalLogonType : Owner
MailboxOwnerUPN : bob@o365info.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation :
LogonUserDisplayName : Angelina Jolie
LogonUserSid : S-1-5-21-2103643036-1067027473-1901050440-14666822
SourceItems : {}
SourceFolders : {}
SourceItemIdsList :
SourceItemSubjectsList :
SourceItemAttachmentsList :
SourceItemFolderPathNamesList :
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : DB5PR05MB1384 (15.01.0761.009)
MailboxGuid : 6cfec3d7-878b-4393-aa96-cbb6e8fd008c
MailboxResolvedOwnerName : Bob marley
LastAccessed : 12/06/2016 4:01:14 AM
Identity : AAMkAGNjYmNkN2Q3LTc2ZGQtNDMwOC05ZmVlLTI3OTY5Njg0ZTEzZgBGAAAAAABEWzQUHcpBSYfBaz2R78jhBwDK7xgSkvxcTrNBen7hewMRAAAJziBGAADK7xgSkvxcTrNBen7hewMRAAAJziRMAAA=
IsValid : True
ObjectState : NewRunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f
Operation : FolderBind
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFQAAAB
FolderPathName : \Sync Issues
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 93.172.209.9
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.7369.6540
InternalLogonType : Owner
MailboxOwnerUPN : bob@o365info.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243
Display mailboxes which have Audit enabled
PowerShell command example:
Get-Mailbox -ResultSize Unlimited | Where {$_.AuditEnabled -eq "$True"} | FL Alias ,Audit*
PowerShell console output example:
PS C:\script> Get-Mailbox | Where {$_.AuditEnabled -eq "$True"} |FL Alias ,Audit*
Alias : Adele
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}Alias : admin
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}Alias : Alicia
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}
Export Audit Log information to CSV file
Export All Audit types log to a CSV file
PowerShell command syntax:
Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding UTF8
PowerShell command example:
Search-MailboxAuditLog "Bob" -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8
Export Audit information about specific event | Deletion event
PowerShell command syntax:
Search-MailboxAuditLog <Identity> -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding UTF8
PowerShell command example:
Search-MailboxAuditLog "Bob" -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8
Export Delegate + Owner + Admin log to a file filter the result by a specific date range | Last 30 days
PowerShell command example:
Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails -StartDate (Get-Date).AddDays(-30)| Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8
Export Office 365 portal admin Audit log
PowerShell command example:
Search-AdminAuditLog | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8
Export Office 365 admin Audit log for a specific PowerShell cmdlet
PowerShell command example:
Search-AdminAuditLog -Cmdlets Enable-AddressListPaging| Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8
Export Office 365 portal admin Audit log for “Admin actions” that was performed on a specific mailbox
PowerShell command example:
Search-AdminAuditLog -ObjectIds "Bob" | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8
Disable Audit
Disable Audit on Exchange mailbox
PowerShell command syntax:
Set-Mailbox -Identity <Identity> -AuditEnabled $False
PowerShell command example:
Set-Mailbox -Identity "Bob" -AuditEnabled $False
Disable Audit on ALL Mailboxes (Bulk Mode)
PowerShell command example:
Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $False}
Additional Exchange Audit options
View information about the “Audit folder” (the Audit log store)
PowerShell command example:
Get-MailboxFolderStatistics "Bob" | Where{$_.name eq "Audits"} | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize
Enable Mailbox Audit Bypass Association
PowerShell command example:
Set-MailboxAuditBypassAssociation -Identity "Bob" -AuditBypassEnabled $True
Set Audit retention – number of days
PowerShell command syntax:
Set-Mailbox <Identity> -AuditLogAgeLimit <Days>
PowerShell command example:
Set-Mailbox "John" -AuditLogAgeLimit 30
Export Audit log information to an HTML file using CSS style
Mailbox actions logged by mailbox audit logging.
Action | Description | Admin | Delegate*** | Owner |
---|---|---|---|---|
Copy | A message was copied to another folder. | Yes | No | No |
Create | An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited. | Yes* | Yes* | Yes |
FolderBind | A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. | Yes* | Yes* | No |
HardDelete | A message was purged from the Recoverable Items folder. | Yes* | Yes* | Yes |
MailboxLogin | The user signed in to their mailbox. | No | No | Yes |
MessageBind | A message was viewed in the preview pane or opened. | Yes | No | No |
Move | A message was moved to another folder. | Yes* | Yes | Yes |
MoveToDeletedItems | A message was deleted and moved to the Deleted Items folder. | Yes* | Yes | Yes |
SendAs | A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner. | Yes* | Yes* | No |
SendOnBehalf | A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message. | Yes* | Yes | No |
SoftDelete | A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder. | Yes* | Yes* | Yes |
Update | A message or its properties was changed. | Yes* | Yes* | Yes |
Hi,
What is the maximum days we can set with AuditLogAgeLimit by today in Exchange Online?
An amazing blog post. Thanks for sharing this information!