Article Table of content | Click to Expand
PowerShell | Help & additional information
Running PowerShell commands in Office 365 based environment
To be able to run the PowerShell commands specified in the current article, you will need to create a remote PowerShell with Azure Active Directory or Exchange Online. In case that you need help with the process of creating a Remote PowerShell session, you can use the links on the bottom of the Article.
Basic information about the Exchange Audit option
The Exchange Online Audit feature is a very powerful tool that enables us to get detailed information about – each of the “actions” that performed in a specific Exchange mailbox.
The Audit information saved in a dedicated Log file, that stored in the mailbox (the Log file hidden from the mailbox owner).
Exchange Audit mailbox option is not “activated” by default.
The most common use of the Exchange Online Audit option is, in a scenario in which “something strange” is happening to a particular user mailbox. For example, mail or calendar meetings that deleted without the user’s (mailbox owner) knowledge, mail items that relocated to a different folder and so on.
In this type of scenario, to be able to understand what is going on “behind the scenes” we need to monitor each of the “events” that related to the specific Exchange mailbox. Using the information stored in the Exchange Audit log will enable us to see what are the exact actions that performed when the above actions are carried out and by whom.
Exchange Online support four types of Audit options:
1. Mailbox Owner Audit (AuditOwner)
This type of Audit will be “record” the different operations that the mailbox owner performs such as mail item deletion and the different type of mail item deletion – Soft Delete and Hard Delete, creation of mail items, movement of mail items, updating existing mail items and more.
2. Non-Owner (delegate) Audit (AuditDelegate)
This type of Audit is relevant in a scenario in which “other users” have permissions to a specific user mailbox. The “other” users defined as a delegate.
The audit information will include the same operation as the AuditOwner and in addition include other operations such as an event in which the delegate performs the action on – SendAs
3. Admin Audit (AuditAdmin)
This type of Audit will record “actions” that are performed by the Exchange Online Administrator. This type of Audit will relate to actions that the Exchange Online Administrator Performs directly on the particular user mailbox. For example, a scenario in which the Exchange Administrator uses PowerShell commands that search and deletes E-mail items from the user mailbox.
4. Office 365 Admin Audit (Search-AdminAuditLog)
This is a special Audit log that is enabled by default for Office 365 customers. The purpose of this Audit is to record each of the “Administrative actions” that are performed by the Exchange Online Administrator. For example, an action, such as assigned Full access permissions to “other users” of as a specific user mailbox, the actions of assigning Send As permission, adding or removing E-mail address and so on.
Using the Exchange Online Audit option
The use of the Exchange Online Audit can be a little confusing. For this reason, it is important that we understand that exact “flow” of actions that we should use for activating and using the Audit information.
- Phase 1#3 – in this phase, we “Turn on” the Exchange “Audit flag” for a particular mailbox
- Phase 2#3 – in this phase, we define the specific “actions” that we want to audit such as deletion of mail items and so on. If you need more information about the specific “actions” that we can define for each of the different Audit types, you can use the Table that I add at the bottom of the current article.
- Phase 3#3 – in this phase, we “read” the Exchange Audit log. Technically, we use a PowerShell command that displays the Audit log content on the PowerShell console, but from my experience is not so easy to read the information.
The recommendation is to export the Audit log information to a file in a format such as CSV or HTML that will enable us to Understand better the information from the Exchange Audit log, Sort the information by filtering specific “actions” and so on.
Later in the article, I will provide some example of – how to export Audit log information to CSV file and HTML File format using CSS style , that will display the information in a prettier manner.
Enable Audit on Exchange Mailbox + Activate the Specific Audit option
Enable Audit on Exchange mailbox
PowerShell command syntax
1 | Set-Mailbox <Identity> -AuditEnabled $True |
PowerShell command example
1 | Set-Mailbox Bob -AuditEnabled $True |
Enable Audit on ALL Mailboxes (Bulk Mode)
PowerShell command example
1 | Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $True} |
Enable Owner Audit on Exchange mailbox
PowerShell command syntax
1 | Set-Mailbox <Identity> -AuditOwner <required parameters> |
PowerShell command example
1 | Set-Mailbox "Bob" -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update |
Enable Non-Owner (delegate) Audit on Exchange mailbox
PowerShell command syntax
1 | Set-Mailbox <Identity> -AuditDelegate <required parameters> |
PowerShell command example
1 | Set-Mailbox Bob -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SoftDelete,Update |
Enable Admin Audit on Exchange mailbox
PowerShell command syntax
1 | Set-Mailbox <Identity> -AuditAdmin <required parameters> |
PowerShell command example
1 | Set-Mailbox Bobm -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update |
View Exchange mailbox Audit settings
View the Audit setting of Exchange mailbox
PowerShell command syntax
1 | Get-Mailbox <Identity> | FL Audit* |
PowerShell command example
1 | Get-Mailbox Bob | FL Audit* |
PowerShell console output example
1 2 3 4 5 6 | PS C:\script> Get-Mailbox Bob | FL Audit* AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Copy, Move, MoveToDeletedItems...} AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...} AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete...} |
View Audit parameters of – AuditOwner (expand)
PowerShell command example
1 | Get-Mailbox Bob | Select-Object –ExpandProperty AuditOwner |
PowerShell console output example
1 2 3 4 5 6 7 8 | Get-Mailbox Bob | Select-Object –ExpandProperty AuditOwner Update Move MoveToDeletedItems SoftDelete HardDelete Create MailboxLogin |
View Audit parameters of – AuditAdmin (expand)
PowerShell command example
1 | Get-Mailbox Bob | Select-Object –ExpandProperty AuditAdmin |
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 11 12 | Get-Mailbox Bob | Select-Object –ExpandProperty AuditAdmin Update Copy Move MoveToDeletedItems SoftDelete HardDelete FolderBind SendAs SendOnBehalf MessageBind Create |
View Audit log information
View Audit log information | All the Audit Types
PowerShell command syntax
1 | Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails |
PowerShell command example
1 | Search-MailboxAuditLog Bob -LogonTypes Admin, Owner,Delegate -ShowDetails |
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | Search-MailboxAuditLog bob -LogonTypes Admin, Owner,Delegate -ShowDetails RunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f Operation : FolderBind OperationResult : Succeeded LogonType : Delegate ExternalAccess : False DestFolderId : DestFolderPathName : FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFRAAAB FolderPathName : \Sync Issues\Conflicts ClientInfoString : Client=MSExchangeRPC ClientIPAddress : 93.172.209.9 ClientMachineName : ClientProcessName : OUTLOOK.EXE ClientVersion : 16.0.7369.6540 InternalLogonType : Owner MailboxOwnerUPN : bob@o365info.com MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243 DestMailboxOwnerUPN : DestMailboxOwnerSid : DestMailboxGuid : CrossMailboxOperation : LogonUserDisplayName : Angelina Jolie LogonUserSid : S-1-5-21-2103643036-1067027473-1901050440-14666822 SourceItems : {} SourceFolders : {} SourceItemIdsList : SourceItemSubjectsList : SourceItemAttachmentsList : SourceItemFolderPathNamesList : SourceFolderPathNamesList : ItemId : ItemSubject : ItemAttachments : DirtyProperties : OriginatingServer : DB5PR05MB1384 (15.01.0761.009) MailboxGuid : 6cfec3d7-878b-4393-aa96-cbb6e8fd008c MailboxResolvedOwnerName : Bob marley LastAccessed : 12/06/2016 4:01:14 AM Identity : AAMkAGNjYmNkN2Q3LTc2ZGQtNDMwOC05ZmVlLTI3OTY5Njg0ZTEzZgBGAAAAAABEWzQUHcpBSYfBaz2R78jhBwDK7xgSkvxcTrNBen7hewMRAAAJziBGAADK7xgSkvxcTrNBen7hewMRAAAJziRMAAA= IsValid : True ObjectState : NewRunspaceId : 9c1c9ae6-1c61-4a9e-8d2c-5f67c0142d9f Operation : FolderBind OperationResult : Succeeded LogonType : Delegate ExternalAccess : False DestFolderId : DestFolderPathName : FolderId : LgAAAABEWzQUHcpBSYfBaz2R78jhAQDK7xgSkvxcTrNBen7hewMRAAAAAAFQAAAB FolderPathName : \Sync Issues ClientInfoString : Client=MSExchangeRPC ClientIPAddress : 93.172.209.9 ClientMachineName : ClientProcessName : OUTLOOK.EXE ClientVersion : 16.0.7369.6540 InternalLogonType : Owner MailboxOwnerUPN : bob@o365info.com MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-16161243 |
Display mailboxes which have Audit enabled
PowerShell command example
1 | Get-Mailbox -ResultSize Unlimited | Where {$_.AuditEnabled -eq “$True”} | FL Alias ,Audit* |
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | PS C:\script> Get-Mailbox | Where {$_.AuditEnabled -eq “$True”} |FL Alias ,Audit* Alias : Adele AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...} AuditOwner : {}Alias : admin AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...} AuditOwner : {}Alias : Alicia AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...} AuditOwner : {} |
Export Audit Log information to a file | CSV
Export All Audit types log to a CSV file
PowerShell command syntax
1 | Search-MailboxAuditLog <Identity> -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding utf8 |
PowerShell command example
1 | Search-MailboxAuditLog Bob -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding utf8 |
Export Audit information about specific event | Deletion event
PowerShell command syntax
1 | Search-MailboxAuditLog <Identity> -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes <Audit type>, <Audit type> -ShowDetails | Export-CSV <Path>" –NoTypeInformation -Encoding UTF8 |
PowerShell command example
1 | Search-MailboxAuditLog Bob -operations HardDelete,SoftDelete,MoveToDeletedItems -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8 |
Export Delegate + Owner + Admin log to a file filter the result by a specific date range | Last 30 days
PowerShell command example
1 | Search-MailboxAuditLog Bob -LogonTypes Admin, Owner,Delegate -ShowDetails -StartDate (Get-Date).AddDays(-30)| Export-CSV c:\temp\"Audit Log.CSV" –NoTypeInformation -Encoding UTF8 |
Export Office 365 portal admin Audit log
PowerShell command example
1 | Search-AdminAuditLog | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8 |
Export Office 365 admin Audit log for a specific PowerShell cmdlet
PowerShell command example
1 | Search-AdminAuditLog -Cmdlets Enable-AddressListPaging| Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8 |
Export Office 365 portal admin Audit log for “Admin actions” that was performed on a specific mailbox
PowerShell command example
1 | Search-AdminAuditLog -ObjectIds Bob | Export-CSV c:\temp\"Search-AdminAuditLog.CSV" –NoTypeInformation -Encoding UTF8 |
Disable Audit
Disable Audit on Exchange mailbox
PowerShell command syntax
1 | Set-Mailbox -Identity <Identity> -AuditEnabled $False |
PowerShell command example
1 | Set-Mailbox -Identity Bob -AuditEnabled $False |
Disable Audit on ALL Mailboxes (Bulk Mode)
PowerShell command example
1 | Get-Mailbox -ResultSize Unlimited | ForEach {Set-Mailbox $_.UserPrincipalName -AuditEnabled $False} |
Additional Exchange Audit options
View information about the “Audit folder” (the Audit log store)
PowerShell command example
1 | Get-MailboxFolderStatistics Bob | Where{$_.name eq "Audits"} | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize |
Enable Mailbox Audit Bypass Association
PowerShell command example
1 | Set-MailboxAuditBypassAssociation -Identity Bob -AuditBypassEnabled $True |
Set Audit retention – number of days
PowerShell command syntax
1 | Set-Mailbox <Identity> -AuditLogAgeLimit <Days> |
PowerShell command example
1 | Set-Mailbox John -AuditLogAgeLimit 30 |
Export Audit log information to an HTML file using CSS style
In the following section, I provide more composed PowerShell syntax versus the former PowerShell command examples.
To be able to successfully use and execute this PowerShell script example, it’s recommended to use the following tips:
Tip 1#2 – Running the PowerShell script by using PowerShell ISE
Theoretically, you can copy the PowerShell code, and paste it to PowerShell console.
It’s logical to assume that you encounter many problems because, the “PowerShell console”
cannot handle “complicated” PowerShell code that includes spaces, remarks and so on.
To be able to work efficiently and easily with the attached PowerShell code, I strongly recommended using the graphic version of Windows PowerShell named ISE (Windows PowerShell Integrated Scripting Environment).
The ISE PowerShell should be installed by default on a modern window OS, or you can download an updated PowerShell version that includes the PowerShell ISE tool.
Tip 2#2 – using the attached Menu based PowerShell script
In case that you would like to avoid from “manual typing” of the PowerShell commands, at the Bottom of the article, you can find a link for a Menu based PowerShell script that I write that was created for simplifying the task of connecting to Exchange Online using remote PowerShell + using most of the PowerShell command that appear in the article.
Export Audit log information to an HTML file Specific Exchange mailbox
PowerShell command example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 | #------------------------------------------------------------------------------ # Section 1 | HTML Table Alternating Rows #------------------------------------------------------------------------------ Function Set-AlternatingRows { <# #> [CmdletBinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline=$True)] [string]$Line, [Parameter(Mandatory=$True)] [string]$CSSEvenClass, [Parameter(Mandatory=$True)] [string]$CSSOddClass ) Begin { $ClassName = $CSSEvenClass } Process { If ($Line.Contains("<tr>")) { $Line = $Line.Replace("<tr>","<tr class=""$ClassName"">") If ($ClassName -eq $CSSEvenClass) { $ClassName = $CSSOddClass } Else { $ClassName = $CSSEvenClass } } Return $Line } } #------------------------------------------------------------------------------ # Section 2 | General #------------------------------------------------------------------------------ $Date = Get-Date #------------------------------------------------------------------------------ # Section 3 | HTML CSS Style #------------------------------------------------------------------------------ $Header = @" <style> Body{font-family:segoe ui,arial;color:black; } H1 { font-size: 26px; font-weight:bold;width: 90% text-transform: uppercase; color: #FFF; background:#2F5496 ; border: 4px solid #fff; margin: 20px auto; padding: 10px 20px; } TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;} TH {border-width: 1px;padding: 5px;border-style: solid;border-color: #d1d3d4;background-color:#0072c6 ;color:white;} TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;} .odd { background-color:#ffffff; } .even { background-color:#dddddd; } </style> "@ #----------------------------------------------------- # Section 5 | Exchange Online | PowerShell Variables #------------------------------------------------------ $AuditOwner = Search-MailboxAuditLog $Alias -LogonTypes Owner -ShowDetails $AuditDelegate = Search-MailboxAuditLog $Alias -LogonTypes Delegate -ShowDetails $AuditAdmin = Search-MailboxAuditLog $Alias -LogonTypes Admin -ShowDetails #------------------------------------------------------------------------------ # Section 6 | Provide the name of the recipient (Mailbox) that you want to export the log files #------------------------------------------------------------------------------ $Alias = Read-Host "Type the Recipient name" #------------------------------------------------------------------------------ # Section 6 | PowerShell command syntax | Export Audit information #------------------------------------------------------------------------------ $AuditOwner | ConvertTo-Html -head $Header -Body "<H1>$Alias - Audit Owner Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File c:\temp\"$Alias - Audit Owner Log.html" $AuditDelegate | ConvertTo-Html -head $Header -Body "<H1>$Alias - Audit Delegate Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File c:\temp\"$Alias - Audit Delegate Log.html" $AuditAdmin | ConvertTo-Html -head $Header -Body "<H1>$Alias - Audit Admin Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File c:\temp\"$Alias - Audit Admin Log.html" |
Export Audit information on a ALL Mailboxes (Bulk Mode)
The following PowerShell script will run a “loop” on all existing Exchange Online mailboxes (Bulk mode), and for each Exchange Online mailbox get the following Audit information:
- Owner Audit
- Delegate Audit
- Admin Audit
The PowerShell script will perform the following tasks:
- The information will be exported to two type file formats: CSV and HTML.
- The script is configured to store the exported files in the following path: C:\INFO\Audit Report
- A separate folder will be created for each of the Exchange Online recipients.
- The folder name will be the Exchange recipient Alias name.
PowerShell command example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | $AllMailboxes = Get-Mailbox -ResultSize Unlimited ForEach ($office365User in $allMailboxes) { $office365User = $office365User.UserPrincipalName # Set directory variables $A21 = "C:\INFO\Audit Report\$office365User" $A22 = "C:\INFO\Audit Report\$office365User\Owner Audit" $A23 = "C:\INFO\Audit Report\$office365User\NonOwner Audit" $A24 = "C:\INFO\Audit Report\$office365User\Admin Audit" #Create Folders if (!(Test-Path -path $A21)) { New-Item $A21 -type directory } if (!(Test-Path -path $A22)) { New-Item $A22 -type directory } if (!(Test-Path -path $A23)) { New-Item $A23 -type directory } if (!(Test-Path -path $A24)) { New-Item $A24 -type directory } #----------------------------------------------------- # Section 5 | Exchange Online | PowerShell Variables #------------------------------------------------------ $AuditOwner = Search-MailboxAuditLog $office365User -LogonTypes Owner -ShowDetails $AuditDelegate = Search-MailboxAuditLog $office365User -LogonTypes Delegate -ShowDetails $AuditAdmin = Search-MailboxAuditLog $office365User -LogonTypes Admin -ShowDetails #----------------------------------------------------- # Export Audit Owner Log to CSV + HTML files #----------------------------------------------------- #----------------- CSV Format ------------------------------------ $AuditOwner | Export-CSV $A22\"$office365User -Audit Owner Log.CSV" –NoTypeInformation -Encoding utf8 #----------------- CSV Format ------------------------------------ #----------------- HTMLFormat ------------------------------------ $AuditOwner | ConvertTo-Html -head $Header -Body "<H1>$office365User - Audit Owner Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File $A22\"$office365User - Audit Owner Log.html" #----------------- HTMLFormat ------------------------------------ #----------------------------------------------------- # Export Audit Delegate Log to CSV + HTML files #----------------------------------------------------- #----------------- CSV Format ------------------------------------ $AuditDelegate | Export-CSV $A23\"$office365User - Audit Delegate Log.CSV" –NoTypeInformation -Encoding utf8 #----------------- CSV Format ------------------------------------ #----------------- HTMLFormat ------------------------------------ $AuditDelegate | ConvertTo-Html -head $Header -Body "<H1>$office365User - Audit Owner Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File $A23\"$office365User - Audit Delegate Log.html" #----------------- HTMLFormat ------------------------------------ #----------------------------------------------------- # Export Audit Admin Log to CSV + HTML files #----------------------------------------------------- #----------------- CSV Format ------------------------------------ $AuditAdmin | Export-CSV $A24\"$office365User -Audit Admin Log.CSV" –NoTypeInformation -Encoding utf8 #----------------- CSV Format ------------------------------------ #----------------- HTMLFormat ------------------------------------ $AuditAdmin | Select | ConvertTo-Html -head $Header -Body "<H1>$office365User - Audit Owner Log | $Date </H1>" | Set-AlternatingRows -CSSEvenClass even -CSSOddClass odd | Out-File $A24\"$office365User - Audit Admin Log.html" #----------------- HTMLFormat ------------------------------------ } |
Mailbox actions logged by mailbox audit logging
Action | Description | Admin | Delegate*** | Owner |
Copy | A message was copied to another folder. | Yes | No | No |
Create | An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn’t audited. | Yes* | Yes* | Yes |
FolderBind | A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. | Yes* | Yes** | No |
HardDelete | A message was purged from the Recoverable Items folder. | Yes* | Yes* | Yes |
MailboxLogin | The user signed in to their mailbox. | No | No | Yes |
MessageBind | A message was viewed in the preview pane or opened. | Yes | No | No |
Move | A message was moved to another folder. | Yes* | Yes | Yes |
MoveToDeletedItems | A message was deleted and moved to the Deleted Items folder. | Yes* | Yes | Yes |
SendAs | A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner. | Yes* | Yes* | No |
SendOnBehalf | A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message. | Yes* | Yes | No |
SoftDelete | A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder. | Yes* | Yes* | Yes |
Update | A message or its properties was changed. | Yes* | Yes* | Yes |
Additional reading
- Search-AdminAuditLog
- Enable or disable mailbox audit logging for a mailbox
- Parsing the Admin Audit Logs with PowerShell
- Enable mailbox auditing in Office 365
- Run a non-owner mailbox access report
- Mailbox audit logging in Exchange 2016
- Unleashing the power of the AdminAuditLog
- Use Admin Audit Logging to Track Changes Made by Administrators
Getting started with Office 365 PowerShell
Get more information about the Naming Conventions that are used in the PowerShell articles – Help and additional information – o365info.com PowerShell articles
To get more information about the required remote PowerShell commands that you need to use for connecting to Exchange Online, read the following article:
Connect to Exchange Online by using Remote PowerShell
To get more information about the required software component + the remote PowerShell commands that you need to use for connecting Azure Active Directory, read the following article: Part 2: Connect to Office 365 by using Remote PowerShell
If you are new in the PowerShell world, you can read more information about how to start working with PowerShell in Office 365 based environment in the following article series: Getting started with Office 365 PowerShell – Part 1, Part 2, Part 3 and Part 4.
In case that you need more information about how to use the o365info PowerShell scripts that I add to the PowerShell articles, you can read the article – How to run and use o365info PowerShell menu script
It is important for us to know your opinion on this article


An amazing blog post. Thanks for sharing this information !
In my circumstance to audit non-owner mailbox accesses, I use an automated solution named Lepide auditor suite (http://www.lepide.com/lepideauditor/exchange.html ) that works great in my work-station. It helps to audit all the non-owner mailbox access and changes made in exchange mailboxes at granular level and provides the captured data into real time.
Hi,
What is the maximum days we can set with AuditLogAgeLimit by today in Exchange Online?