Skip to content

Manage Mailbox Audit using PowerShell | Office 365

In the current article, we review the various aspects of “Exchange Online Audit option” using PowerShell commands.

Connect to Exchange Online Protection

To be able to run the PowerShell commands specified in the current article, you will need to Connect to Exchange Online PowerShell.

Start Windows PowerShell as administrator and run the cmdlet Connect-ExchangeOnline.

Connect-ExchangeOnline

Basic information about the Exchange Audit option

The Exchange Online Audit feature is a very powerful tool that enables us to get detailed information about – each of the “actions” that performed in a specific Exchange mailbox.

The Audit information saved in a dedicated Log file, that stored in the mailbox (the Log file hidden from the mailbox owner).

Exchange Audit mailbox option is not “activated” by default.
The most common use of the Exchange Online Audit option is, in a scenario in which “something strange” is happening to a particular user mailbox. For example, mail or calendar meetings that deleted without the user’s (mailbox owner) knowledge, mail items that relocated to a different folder and so on.

In this type of scenario, to be able to understand what is going on “behind the scenes” we need to monitor each of the “events” that related to the specific Exchange mailbox. Using the information stored in the Exchange Audit log will enable us to see what are the exact actions that performed when the above actions are carried out and by whom.

Exchange Online support four types of Audit options:

1.Mailbox Owner Audit (AuditOwner)

This type of Audit will be “record” the different operations that the mailbox owner performs such as mail item deletion and the different type of mail item deletion – Soft Delete and Hard Delete, creation of mail items, movement of mail items, updating existing mail items and more.

2. Non-Owner (delegate) Audit (AuditDelegate)

This type of Audit is relevant in a scenario in which “other users” have permissions to a specific user mailbox. The “other” users defined as a delegate.

The audit information will include the same operation as the AuditOwner and in addition include other operations such as an event in which the delegate performs the action on – SendAs

3. Admin Audit (AuditAdmin)

This type of Audit will record “actions” that are performed by the Exchange Online Administrator. This type of Audit will relate to actions that the Exchange Online Administrator Performs directly on the particular user mailbox. For example, a scenario in which the Exchange Administrator uses PowerShell commands that search and deletes E-mail items from the user mailbox.

4. Office 365 Admin Audit (Search-AdminAuditLog)

This is a special Audit log that is enabled by default for Office 365 customers. The purpose of this Audit is to record each of the “Administrative actions” that are performed by the Exchange Online Administrator. For example, an action, such as assigned Full access permissions to “other users” of as a specific user mailbox, the actions of assigning Send As permission, adding or removing E-mail address and so on.

Using the Exchange Online Audit option

The use of the Exchange Online Audit can be a little confusing. For this reason, it is important that we understand that exact “flow” of actions that we should use for activating and using the Audit information.

  • Phase 1#3 – in this phase, we “Turn on” the Exchange “Audit flag” for a particular mailbox.
  • Phase 2#3 – in this phase, we define the specific “actions” that we want to audit such as deletion of mail items and so on. If you need more information about the specific “actions” that we can define for each of the different Audit types, you can use the table I added at the bottom of the current article.
  • Phase 3#3 – in this phase, we “read” the Exchange Audit log. Technically, we use a PowerShell command that displays the Audit log content on the PowerShell console, but from my experience is not so easy to read the information.

The recommendation is to export the Audit log information to a file in a format such as CSV or HTML that will enable us to understand better the information from the Exchange Audit log, Sort the information by filtering specific “actions” and so on.

Later in the article, I will provide some example of – how to export Audit log information to CSV file and HTML File format using CSS style , that will display the information in a prettier manner.

Enable Audit on Exchange Mailbox + Activate the Specific Audit option

Enable Audit on Exchange mailbox

PowerShell command syntax:

Set-Mailbox <Identity> -AuditEnabled $True

PowerShell command example:

Set-Mailbox "Bob" -AuditEnabled $True

Enable Audit on ALL Mailboxes (Bulk Mode)

PowerShell command example:

Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $True}

Enable Owner Audit on Exchange mailbox

PowerShell command syntax:

Set-Mailbox <Identity> -AuditOwner <required parameters>

PowerShell command example:

Set-Mailbox "Bob" -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update

Enable Non-Owner (delegate) Audit on Exchange mailbox

PowerShell command syntax:

Set-Mailbox <Identity> -AuditDelegate <required parameters>

PowerShell command example:

Set-Mailbox "Bob" -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SoftDelete,Update

Enable Admin Audit on Exchange mailbox

PowerShell command syntax:

Set-Mailbox <Identity> -AuditAdmin <required parameters>

PowerShell command example:

Set-Mailbox "Bob" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update

View Exchange mailbox Audit settings

View the Audit setting of Exchange mailbox

PowerShell command syntax:

Get-Mailbox <Identity> | FL Audit*

PowerShell command example:

Get-Mailbox "Bob" | FL Audit*

PowerShell console output example:

PS C:\script> Get-Mailbox "Bob" | FL Audit*

AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Copy, Move, MoveToDeletedItems...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete...}

View Audit parameters of – AuditOwner (expand)

PowerShell command example:

Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditOwner

PowerShell console output example:

Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditOwner

Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin

View Audit parameters of – AuditAdmin (expand)

PowerShell command example:

Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditAdmin

PowerShell console output example:

Get-Mailbox "Bob" | Select-Object –ExpandProperty AuditAdmin

Update
Copy
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
MessageBind
Create

View Audit log information

View Audit log information | All the Audit Types

PowerShell command syntax:

Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails

PowerShell command example:

Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails

PowerShell console output example:

Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails

RunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f
Operation : FolderBind
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFRAAAB
FolderPathName : \Sync Issues\Conflicts
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 93.172.209.9
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.7369.6540
InternalLogonType : Owner
MailboxOwnerUPN : bob@o365info.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation :
LogonUserDisplayName : Angelina Jolie
LogonUserSid : S-1-5-21-2103643036-1067027473-1901050440-14666822
SourceItems : {}
SourceFolders : {}
SourceItemIdsList :
SourceItemSubjectsList :
SourceItemAttachmentsList :
SourceItemFolderPathNamesList :
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : DB5PR05MB1384 (15.01.0761.009)
MailboxGuid : 6cfec3d7-878b-4393-aa96-cbb6e8fd008c
MailboxResolvedOwnerName : Bob marley
LastAccessed : 12/06/2016 4:01:14 AM
Identity : AAMkAGNjYmNkN2Q3LTc2ZGQtNDMwOC05ZmVlLTI3OTY5Njg0ZTEzZgBGAAAAAABEWzQUHcpBSYfBaz2R78jhBwDK7xgSkvxcTrNBen7hewMRAAAJziBGAADK7xgSkvxcTrNBen7hewMRAAAJziRMAAA=
IsValid : True
ObjectState : NewRunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f
Operation : FolderBind
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFQAAAB
FolderPathName : \Sync Issues
ClientInfoString : Client=MSExchangeRPC
ClientIPAddress : 93.172.209.9
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.7369.6540
InternalLogonType : Owner
MailboxOwnerUPN : bob@o365info.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243

Display mailboxes which have Audit enabled

PowerShell command example:

Get-Mailbox -ResultSize Unlimited | Where {$_.AuditEnabled -eq "$True"} | FL Alias ,Audit*

PowerShell console output example:

PS C:\script> Get-Mailbox | Where {$_.AuditEnabled -eq "$True"} |FL Alias ,Audit*

Alias : Adele
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}Alias : admin
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}Alias : Alicia
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}

Export Audit Log information to CSV file

Export All Audit types log to a CSV file

PowerShell command syntax:

Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding UTF8

PowerShell command example:

Search-MailboxAuditLog "Bob" -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8

Export Audit information about specific event | Deletion event

PowerShell command syntax:

Search-MailboxAuditLog <Identity> -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding UTF8

PowerShell command example:

Search-MailboxAuditLog "Bob" -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8

Export Delegate + Owner + Admin log to a file filter the result by a specific date range | Last 30 days

PowerShell command example:

Search-MailboxAuditLog "Bob" -LogonTypes Admin, Owner,Delegate -ShowDetails -StartDate (Get-Date).AddDays(-30)| Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8

Export Office 365 portal admin Audit log

PowerShell command example:

Search-AdminAuditLog | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8

Export Office 365 admin Audit log for a specific PowerShell cmdlet

PowerShell command example:

Search-AdminAuditLog -Cmdlets Enable-AddressListPaging| Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8

Export Office 365 portal admin Audit log for “Admin actions” that was performed on a specific mailbox

PowerShell command example:

Search-AdminAuditLog -ObjectIds "Bob" | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8

Disable Audit

Disable Audit on Exchange mailbox

PowerShell command syntax:

Set-Mailbox -Identity <Identity> -AuditEnabled $False

PowerShell command example:

Set-Mailbox -Identity "Bob" -AuditEnabled $False

Disable Audit on ALL Mailboxes (Bulk Mode)

PowerShell command example:

Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $False}

Additional Exchange Audit options

View information about the “Audit folder” (the Audit log store)

PowerShell command example:

Get-MailboxFolderStatistics "Bob" | Where{$_.name eq "Audits"} | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize

Enable Mailbox Audit Bypass Association

PowerShell command example:

Set-MailboxAuditBypassAssociation -Identity "Bob" -AuditBypassEnabled $True

Set Audit retention – number of days

PowerShell command syntax:

Set-Mailbox <Identity> -AuditLogAgeLimit <Days>

PowerShell command example:

Set-Mailbox "John" -AuditLogAgeLimit 30

Export Audit log information to an HTML file using CSS style

Mailbox actions logged by mailbox audit logging.

ActionDescriptionAdminDelegate***Owner
CopyA message was copied to another folder.YesNoNo
CreateAn item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited.Yes*Yes*Yes
FolderBindA mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.Yes*Yes*No
HardDeleteA message was purged from the Recoverable Items folder.Yes*Yes*Yes
MailboxLoginThe user signed in to their mailbox.NoNoYes
MessageBindA message was viewed in the preview pane or opened.YesNoNo
MoveA message was moved to another folder.Yes*YesYes
MoveToDeletedItemsA message was deleted and moved to the Deleted Items folder.Yes*YesYes
SendAsA message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.Yes*Yes*No
SendOnBehalfA message was sent using the
SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.
Yes*YesNo
SoftDeleteA message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.Yes*Yes*Yes
UpdateA message or its properties was changed.Yes*Yes*Yes
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *