Enable Mailbox Auditing on Office 365
Posted inBlog

Enable Mailbox Auditing on Office 365

Enable Mailbox Auditing on Office 365 (Exchange Online)

1. Connect to Exchange Online
Run PowerShell as administrator and authenticate with your admin account:
Connect-ExchangeOnline -UserPrincipalName [email protected]

2. Confirm Organization-Level Auditing Status
Check if mailbox auditing is enabled by default:
Get-OrganizationConfig | Format-List AuditDisabled
If the output shows False, auditing is on by default for all mailbox types.

3. Enable Auditing for Mailboxes (If Needed)
This step is optional if auditing is already enabled by default organization-wide. However, to ensure auditing is active:

  • For user mailboxes:
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

  • For shared mailboxes:
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "SharedMailbox"} | Set-Mailbox -AuditEnabled $true

4. Configure Audited Actions (Optional)
By default, a predefined set of actions is audited for owner, delegate, and admin sign-ins. If necessary, customize audit actions using parameters like -AuditOwner, -AuditDelegate, and -AuditAdmin. For example:
Set-Mailbox -Identity [email protected] -AuditOwner @{Add="MailboxLogin","UpdateInboxRules"}

5. Verify Auditing Settings
To confirm auditing is working:

  • Check mailbox-level audit properties:
    Get-Mailbox -Identity [email protected] | Format-List Audit*

  • Check default audit actions in use:
    Get-Mailbox -Identity [email protected] | Format-List DefaultAuditSet

6. Manage Bypass (If Required)
If you need to exempt specific mailboxes or users from audit logging:
Set-MailboxAuditBypassAssociation -Identity [email protected] -AuditBypassEnabled $true

Check the bypass status:
Get-MailboxAuditBypassAssociation -Identity [email protected] | Format-List AuditByPassEnabled

Summary

  • Microsoft now enables mailbox auditing by default across all mailbox types—user, shared, group, etc.

  • Organization-level auditing settings override mailbox-specific ones.

  • You can still customize and review audit actions and bypass settings as needed.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply