Enable Mailbox Auditing on Office 365 (Exchange Online)
1. Connect to Exchange Online
Run PowerShell as administrator and authenticate with your admin account:Connect-ExchangeOnline -UserPrincipalName [email protected]
2. Confirm Organization-Level Auditing Status
Check if mailbox auditing is enabled by default:Get-OrganizationConfig | Format-List AuditDisabled
If the output shows False
, auditing is on by default for all mailbox types.
3. Enable Auditing for Mailboxes (If Needed)
This step is optional if auditing is already enabled by default organization-wide. However, to ensure auditing is active:
For user mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
For shared mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "SharedMailbox"} | Set-Mailbox -AuditEnabled $true
4. Configure Audited Actions (Optional)
By default, a predefined set of actions is audited for owner, delegate, and admin sign-ins. If necessary, customize audit actions using parameters like -AuditOwner
, -AuditDelegate
, and -AuditAdmin
. For example:Set-Mailbox -Identity [email protected] -AuditOwner @{Add="MailboxLogin","UpdateInboxRules"}
5. Verify Auditing Settings
To confirm auditing is working:
Check mailbox-level audit properties:
Get-Mailbox -Identity [email protected] | Format-List Audit*
Check default audit actions in use:
Get-Mailbox -Identity [email protected] | Format-List DefaultAuditSet
6. Manage Bypass (If Required)
If you need to exempt specific mailboxes or users from audit logging:Set-MailboxAuditBypassAssociation -Identity [email protected] -AuditBypassEnabled $true
Check the bypass status:Get-MailboxAuditBypassAssociation -Identity [email protected] | Format-List AuditByPassEnabled
Summary
Microsoft now enables mailbox auditing by default across all mailbox types—user, shared, group, etc.
Organization-level auditing settings override mailbox-specific ones.
You can still customize and review audit actions and bypass settings as needed.