Manage mailbox Audit with PowerShell in Microsoft 365

When a user’s calendar meetings are deleted, or emails are moved to another folder without the user’s knowledge, you need to understand why this happened. With the audit log feature in Exchange Online, it’s possible to check these actions. However, you must first enable auditing in Microsoft Purview portal or Exchange Online PowerShell. In this article, you will learn how to manage a Microsoft 365 mailbox audit using PowerShell.

Exchange Online mailbox audit log

The Exchange Online audit log in Microsoft 365 gathers detailed information about each action performed in a specific mailbox. It saves the audit information in a dedicated log file stored for each mailbox, which remains hidden from the mailbox owner.

The mailbox audit option is not enabled by default. You will only use the Exchange Online audit option when something strange happens to a particular user’s mailbox. For example, if a user (mailbox owner) can’t find their mail or calendar meetings because someone deleted or relocated them to another folder without their knowledge.

To understand what is going on, you need to check each action related to the specific mailbox with the audit log. The audit log can tell you which action occurred and who did it.

The following mailbox types can use the mailbox auditing:

• User mailbox
• Shared mailbox
• Microsoft 356 group mailbox

Search-UnifiedAuditLog cmdlet

You can use the Microsoft Purview portal to download your audit log report.

With the Search-UnifiedAuditLog PowerShell cmdlet, you can sort and filter more options and export the information in different output formats, such as CSV, HTML, and CSS.

To use the Search-UnifiedAuditLog PowerShell cmdlet, you need to enable auditing for your tenant.

All Microsoft 365 customers have this audit log enabled by default. The purpose of this audit is to log each administrative action performed by the Exchange Online administrator.

For example, assigning other users (delegates) Full Access permissions to a specific user mailbox, assigning Send As permission, adding or removing email addresses, and so on.

Mailbox audit sign-in types

There are different audit sign-in types for each mailbox (user, shared, Microsoft 365 group). We will show you the different sign-in types with their specific PowerShell parameters and which mailbox actions they can audit log.

1. Mailbox Owner Audit (-AuditOwner)

This is the mailbox owner who is responsible for the account. You can use the -AuditOwner parameter with the Get-Mailbox or Set-Mailbox cmdlet.

This type of audit will log the different operations that the mailbox owner performs, such as create, move, update, or (soft and hard) delete mail items, and more.

2. Non-Owner Audit (-AuditDelegate)

When a user has SendAs, SendOnBehalf, or FullAccess permission to a specific user mailbox, known as a delegate. Also, an admin with Full Access permission to a mailbox is considered a delegate.

The audit log will include the same operations as the AuditOwner. You can use the -AuditDelegate parameter with the Get-Mailbox and Set-Mailbox cmdlet.

3. Admin Audit (-AuditAdmin)

The Exchange Online administrator performs actions on a user mailbox. You can use the -AuditAdmin parameter with the Get-Mailbox and Set-Mailbox cmdlet.

It will audit log actions when the Exchange Online administrator uses PowerShell commands that search and delete email items from a user mailbox.

Mailbox audit log actions for Microsoft 365 Group mailboxes

When you enable mailbox audit in your organization, it will also enable audit log Microsoft 365 Groups mailboxes. You can’t customize the default mailbox actions for the Microsoft 365 Group, which means that you can’t add or remove mailbox actions for any sign-in type.

• The check mark (✓) shows that this type of mailbox action is logged by default.
• The (☓) shows that there is no option to log this type of mailbox action.

The table below shows the default mailbox actions on Microsoft 365 Group mailboxes for each sign-in type.

Action	Description	Admin	Delegate	Owner
Create	Create an item in the Calendar folder. Creating, sending, or receiving a message isn’t audited.	✓	✓	☓
HardDelete	A message was purged from the Recoverable Items folder.	✓	✓	✓
MoveToDeletedItems	A message was deleted and moved to the Deleted Items folder.	✓	✓	✓
SendAs	Send a message using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.	✓	✓	☓
SendOnBehalf	Send a message using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner.	✓	✓	☓
SoftDelete	Delete or permanently delete a message from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.	✓	✓	✓
Update	A message or its properties was changed.	✓	✓	✓

Mailbox audit log actions for user and shared mailboxes

There are multiple mailbox actions to audit the user and shared mailboxes. You can customize the mailbox actions to audit before you enable mailbox auditing in your organization.

• The checkmark (✓) shows that this type of mailbox action is logged by default.
• The asterisk (*) after the check mark shows you can log this type of mailbox action.
• The (☓) shows that there is no option to log this type of mailbox action.

Mailbox actions table for user and shared mailboxes

The table below shows which mailbox actions are available to audit for user and shared mailboxes.

Action	Description	Admin	Delegate	Owner
ApplyRecord	An item is labeled as a record.	✓	✓	✓
Copy	Copy a message to another folder.	✓*	☓	☓
Create	Create an item in the Calendar, Contacts, Draft, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating a message or folder isn’t audited.	✓	✓	✓*
FolderBind	A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.	✓*	✓*	☓
HardDelete	A message was purged from the Recoverable Items folder.	✓	✓	✓
MailboxLogin	The user signed in to their mailbox.	☓	☓	✓*
MailItemsAccessed	Mail data is accessed by mail protocols and clients.**	✓	✓	✓
MessageBind	A message was viewed in the preview pane or opened.**	✓*	☓	☓
Move	A message was moved to another folder.	✓*	✓*	✓*
MoveToDeletedItems	A message was deleted and moved to the Deleted Items folder.	✓	✓	✓
RecordDelete	An item labeled as a record was moved to the Recoverable Items folder (soft-deleted).	✓*	✓*	✓*
SearchQueryInitiated	A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.**	☓	☓	✓*
Send	The user sends an email message, replies to an email message, or forwards an email message.**	✓	☓	✓
SendAs	Send a message using the SendAs permission.	✓	✓	☓
SendOnBehalf	Send a message using the SendOnBehalf permission.	✓	✓	☓
SoftDelete	A message was permanently deleted or deleted from the Deleted Items folder.	✓	✓	✓
Update	A message or its properties was changed.	✓	✓	✓
UpdateCalendarDelegation	A calendar delegation was assigned to a mailbox.	✓	☓	✓
UpdateFolderPermissions	The folder permission was changed.	✓	✓	✓
UpdateInboxRules	An inbox rule was added, removed, or changed.	✓	✓	✓

**This value is available only for users with E5/A5/G5 licenses.

1. Enable or Disable Audit in Microsoft 365

There are two methods to verify if auditing is enabled for your tenant:

• Microsoft Purview portal
• Exchange Online PowerShell

Then we will show you how to disable audit in Exchange Online PowerShell for the entire organization.

Enable Audit in Microsoft Purview portal

How to enable auditing for your organization in the Microsoft Purview portal:

1. Sign in to Microsoft Purview
2. Click Audit
3. Go to New Search tab
4. Click the text Start recording user and admin activity

If you want to disable the audit, you can only use PowerShell.

Connect to Exchange Online

To be able to run the PowerShell commands specified in the current article, you need to Connect to Exchange Online PowerShell.

Start Windows PowerShell as administrator and run the Connect-ExchangeOnline cmdlet.

Connect-ExchangeOnline

Enable Audit with PowerShell

To enable auditing for your organization, we will use the Set-AdminAuditLogConfig PowerShell cmdlet.

Run the below PowerShell command to enable auditing.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

After you run the command, PowerShell will show you the below warning.

Disable Audit with PowerShell

You can only disable audit in Exchange Online PowerShell. You need to set the -UnifiedAuditLogIngestionEnabled parameter to $false.

Run the below PowerShell command to disable auditing for the entire organization.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

After you run the command, PowerShell will show you the below warning.

Verify mailbox auditing enabled

Verify you enabled (turned on) mailbox auditing for your organization, with the below PowerShell command.

Get-OrganizationConfig | Format-List AuditDisabled

The PowerShell output shows the value False for AuditDisabled, which means the mailbox auditing is on.

AuditDisabled : False

In the next step, we will show you how to prevent mailbox auditing for specific users.

Enable Mailbox Audit Bypass

To disable mailbox auditing for specific mailboxes, you need to set the mailbox audit bypass. Use the Set-MailboxAuditBypassAssociation PowerShell cmdlet to configure mailbox audit logging bypass for user accounts.

Run the below PowerShell command to enable the mailbox audit bypass for a specific user.

Set-MailboxAuditBypassAssociation -Identity "Stephen.Hunter@m365info.com" -AuditBypassEnabled $true

To check the audit bypass for a specific user, run the below PowerShell command.

Get-MailboxAuditBypassAssociation -Identity "Stephen.Hunter@m365info.com" | Format-List AuditByPassEnabled

The PowerShell output shows the value True, which means it enabled mailbox audit bypass for this specific user.

AuditBypassEnabled : True

2. Check Audit type for Exchange Online mailboxes

To check the audit is enabled for a single mailbox, run the below PowerShell command.

Get-Mailbox "Amanda.Hansen@m365info.com" | Format-Table DisplayName, AuditEnabled

Run the below PowerShell command, to check the -AuditEnabled is set to true for all mailboxes.

Get-Mailbox | Format-Table DisplayName, AuditEnabled

Enable AuditOwner for single mailbox

You can also enable an audit owner on a single mailbox with the required actions.

Set-Mailbox "Identity" -AuditOwner "required parameters"

Run the below PowerShell command.

Set-Mailbox "Amanda.Hansen@m365info.com" -AuditOwner "Create, HardDelete, MailboxLogin, Move, MoveToDeletedItems, SoftDelete, Update"

Enable AuditDelegate for single mailbox

Enable audit delegate (non-owner) on a single mailbox with the required actions.

Set-Mailbox "Identity" -AuditDelegate "required parameters"

Run the below PowerShell command.

Set-Mailbox "Amanda.Hansen@m365info.com" -AuditDelegate "Create, FolderBind, HardDelete, Move, MoveToDeletedItems, SoftDelete, Update"

Enable AuditAdmin for single mailbox

Enable audit admin on a single mailbox with the required actions.

Set-Mailbox "Identity" -AuditAdmin "required parameters"

Run the below PowerShell command.

Set-Mailbox "Amanda.Hansen@m365info.com" -AuditAdmin "Copy, Create, FolderBind, HardDelete, MessageBind, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update"

Restore default mailbox actions

You can restore the mailbox actions for a user or shared mailbox for one or all sign-in types with the -DefaultAuditSet parameter. In our example, we want to restore the sign-in types for a specific user mailbox (Amanda.Hansen@m365info.com).

Run the below PowerShell command to restore the default mailbox actions for a single sign-in type.

Set-Mailbox "Amanda.Hansen@m365info.com" -DefaultAuditSet Admin

Run the below PowerShell command to restore the default mailbox actions for all sign-in types.

Set-Mailbox "Amanda.Hansen@m365info.com" -DefaultAuditSet Admin, Delegate, Owner

Set Audit retention number of days single mailbox

The -AuditLogAgeLimit parameter specifies the maximum age of audit log entries for the mailbox. The default value is 90 days, which means that it removes any older log entries.

Run the below PowerShell command to set the audit log age limit to 365 days.

Set-Mailbox "Chris.Lucas@m365info.com" -AuditLogAgeLimit "365"

3. Get mailbox Audit settings

To get the Exchange Online mailbox auditing settings, we will use the Get-Mailbox PowerShell cmdlet.

Get Audit settings for single mailbox

To display the audit settings of a user mailbox, use the Get-Mailbox PowerShell cmdlet.

Get-Mailbox "Amanda.Hansen@m365info.com" | Format-List Audit*

The PowerShell output results appear.

AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Copy, Move, MoveToDeletedItems…}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete…}
AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete…}

Get Audit settings for all mailboxes

When you display the audit settings for all the Exchange Online mailboxes, you can check that AuditEnabled is set to True. It also shows the AuditLogAgeLimit and the audit types (AuditAdmin, AuditDelegate, AuditOwner), including their actions.

Get-Mailbox -ResultSize Unlimited | Where-Object { $_.AuditEnabled -eq "$true" } | Format-List Alias, Audit*

PowerShell output shows the audit settings for each Exchange Online mailbox.

Alias            : Amanda.Hansen
AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Copy, Move, MoveToDeletedItems…}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete…}
AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete…}

Alias            : Brenda.Smith
AuditEnabled     : True
AuditLogAgeLimit : 30.00:00:00
AuditAdmin       : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}
AuditDelegate    : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}
AuditOwner       : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}

Alias            : Chris.Lucas
AuditEnabled     : True
AuditLogAgeLimit : 365.00:00:00
AuditAdmin       : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}
AuditDelegate    : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}
AuditOwner       : {Update, MoveToDeletedItems, SoftDelete, HardDelete…}

Get AuditOwner parameters for single mailbox

Get a list of the -AuditOwner parameters you set for a single mailbox.

Get-Mailbox "Amanda.Hansen@m365info.com" | Select-Object -ExpandProperty AuditOwner

The PowerShell output lists the different parameters of the AuditOwner you set for this mailbox (Amanda.Hansen@m365info.com).

Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin

Get AuditDelegate parameters for single mailbox

Get a list of the -AuditDelegate parameters you set for a specific mailbox.

Get-Mailbox "Amanda.Hansen@m365info.com" | Select-Object -ExpandProperty AuditDelegate

The PowerShell output lists the different parameters of the AuditDelegate you set for this mailbox (Amanda.Hansen@m365info.com).

Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
Create

Get AuditAdmin parameters for single mailbox

Get a list of the -AuditAdmin parameters you set for a specific mailbox.

Get-Mailbox "Amanda.Hansen@m365info.com" | Select-Object -ExpandProperty AuditAdmin

The PowerShell output lists the different parameters of the AuditAdmin you set for this mailbox (Amanda.Hansen@m365info.com).

Update
Copy
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
MessageBind
Create

Get mailbox Audit log information

To get the audit log information of a single mailbox, you need to use the Search-UnifiedAuditLog PowerShell cmdlet.

Get all the logon types (owner, delegate, admin) of a single mailbox for the last 30 days.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds "Amanda.Hansen@m365info.com" 

The PowerShell console output shows the below result.

RecordType   : ExchangeItemAggregated
CreationDate : 01/03/2024 07.44.30
UserIds      : Amanda.Hansen@m365info.com
Operations   : MailItemsAccessed
AuditData    : {"CreationTime":"2024-03-01T07:44:30","Id":"142a9a65-fb0c-47aa-b0ee-04a4977c8456","Operation":"MailItemsAccessed","OrganizationId":"a2ff010e-0e03-4c56-8863-2ae7f07876
               dd","RecordType":50,"ResultStatus":"Succeeded","UserKey":"1003200280C087D8","UserType":0,"Version":1,"Workload":"Exchange","UserId":"Amanda.Hansen@m365info.com","AppI
               d":"a3883eba-fbe9-48bd-9ed3-dca3e0e84250","ClientAppId":"a3883eba-fbe9-48bd-9ed3-dca3e0e84250","ClientIPAddress":"2603:10a6:20b:60f::13","ClientInfoString":"Client=RE
               ST;Client=RESTSystem;;","ExternalAccess":false,"InternalLogonType":0,"LogonType":0,"LogonUserSid":"S-1-5-21-701439281-3420630407-1831248095-13098321","MailboxGuid":"d
               2f0ce69-287f-4de1-90ea-124110a06f7c","MailboxOwnerSid":"S-1-5-21-701439281-3420630407-1831248095-13098321","MailboxOwnerUPN":"Amanda.Hansen@m365info.com","OperationPr
               operties":[{"Name":"MailAccessType","Value":"Bind"},{"Name":"IsThrottled","Value":"False"}],"OrganizationName":"ms365info.onmicrosoft.com","OriginatingServer":"AS8PR0
               2MB7112 (15.20.4200.000)\r\n","Folders":[{"FolderItems":[{"ClientRequestId":"53117859-a300-43c5-abd0-4cd5be64a180","InternetMessageId":"<CAAMAOhMFKqcTcVYDaGHWOjTt5pds
               _5OkoO5YDj72-LopT6Nufw@mail.gmail.com>","SizeInBytes":35451}],"Id":"LgAAAABroEtNkRnUR6N\/VnNslZPDAQCKniiQJ5YUT6lj3dk357OFAAAAAAETAAAB","Path":"\\Junk 
               Email"}],"OperationCount":1}
ResultIndex  : 1
ResultCount  : 1
Identity     : 142a9a65-fb0c-47aa-b0ee-04a4977c8456
IsValid      : True
ObjectState  : Unchanged

Get mailbox Audit folder statistics

To get information about the audit folder, you need to use the Get-MailboxFolderStatistics PowerShell cmdlet.

Get-MailboxFolderStatistics "Amanda.Hansen@m365info.com" | Where-Object { $_.name -eq "Audits" } | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize

The PowerShell output shows the below result.

Identity                          ItemsInFolder FolderSize
--------                          ------------- ----------
Amanda.Hansen@m365info.com\Audits           805 4.348 MB (4,558,947 bytes)

4. Export mailbox Audit log information

It’s best to export all the information to a CSV file so that you can search and filter the audit log information of the mailboxes. Remember to create a temp folder in your (C:) drive.

Export Audit log for specific mailbox to a CSV file

The default retention period for Audit has changed from 90 days to 180 days. This means that the Audit log on or after October 17, 2023, will follow the new default retention of 180 days.

Export all the audit log information of a single user for the last 30 days to a CSV file.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds "Amanda.Hansen@m365info.com" | Export-Csv "C:\temp\AuditLog.csv" -NoTypeInformation -Encoding utf8

Go to the C:\temp folder and open the CSV file with Microsoft Excel to see the results.

Export Exchange admin Audit log for specific mailbox to CSV

Run the below Powershell command to export the Exchange admin audit log on a specific mailbox.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds "Amanda.Hansen@m365info.com" -RecordType ExchangeAdmin | Export-Csv "C:\temp\AuditAdminLog.csv" -NoTypeInformation -Encoding utf8

Go to the C:\temp folder and open the CSV file with Microsoft Excel to see the results. It shows all the operations of the Exchange admin audit log for a single mailbox in the last 30 days.

Export Exchange admin Audit log for all mailboxes to CSV

To export only the audit admin log to a CSV file, you can see what the admin has set for all the Exchange Online mailboxes.

Run the below PowerShell command to export the audit admin log to a CSV file.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType ExchangeAdmin | Export-Csv "C:\temp\BulkAuditAdminLog.csv" -NoTypeInformation -Encoding utf8

Go to the C:\temp folder and open the CSV file with Microsoft Excel to see the results. It shows the Exchange admin audit log operations for all mailboxes in the last 30 days.

Export Audit log specified Operations for single mailbox to CSV

Run the below PowerShell command to export the Audit log about specific operations (delete) for a single mailbox.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds "Amanda.Hansen@m365info.com" -Operations SoftDelete, HardDelete, MoveToDeletedItems | Export-Csv "C:\temp\AuditLog Operations.csv" -NoTypeInformation -Encoding utf8

Go to the C:\temp folder and open the CSV file with Microsoft Excel to see the results. It shows a list of operations (SoftDelete, HardDelete, MoveToDeletedItems) in the last 30 days.

That’s it!

Read more: How to hide users from Global Address List (GAL) »

Conclusion

You learned how to manage mailbox audit with PowerShell in Microsoft 365. To manage the audit log, you must enable auditing for your organization. Then, you can set the audit settings and export the mailbox audit log for a single or all mailboxes to a CSV file.

Did you enjoy this article? You may also like How to save sent items in shared mailbox. Don’t forget to follow us and share this article.