How to Configure Exchange Mailbox Auditing
You can configure auditing on an individual mailbox basis by using the
Set-Mailbox
cmdlet. This cmdlet allows you to specify
- Which operations are audited
- Which types of users are audited
- If auditing is enabled on the mailbox
- How long entries are kept
Actions that can be audited for each logon type:
|
Action
|
Description
|
Administrator
|
Delegate
|
Owner
|
|
AddFolderPermissions***
|
This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.
|
n/a
|
n/a
|
n/a
|
|
ApplyRecord
|
This mailbox action is enabled by default. It is not configurable and available for Exchange Online only.
|
•
|
•
|
•
|
|
Copy
|
Item copied to another folder.
|
•
|
n/a
|
n/a
|
|
Create
|
Item created in the mailbox. (For example, a message is sent or received.)
Folder creation isn't audited.
|
•
|
•
|
•
|
|
FolderBind
|
A mailbox folder is accessed. Note: MS says "Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours." The time span is now 24 hours in Exchange 2016, 2019 and Online.
|
•
|
•
|
n/a
|
|
HardDelete
|
Item deleted permanently from the Recoverable Items folder.
|
•
|
•
|
•
|
|
MailboxLogin
|
The user signed in to their mailbox.
|
n/a
|
n/a
|
•**
|
|
MailItemsAccessed
|
This audit action is only available for E5/A5/G5 licenses. It replaces MessageBind in Exchange Online and available for Exchange Online only.
|
•
|
•
|
•
|
|
MessageBind
|
Item accessed in the reading pane or opened. Although this value is accepted it is no longer logged.
|
•
|
n/a
|
n/a
|
|
ModifyFolderPermissions***
|
This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.
|
n/a
|
n/a
|
n/a
|
|
Move
|
Item moved to another folder.
|
•
|
•
|
•
|
|
MoveToDeletedItems
|
Item moved to the Deleted Items folder.
|
•
|
•
|
•
|
|
RecordDelete
|
Item soft deleted and moved to the Recoverable Items folder. These items can not be permanently deleted. For Exchange Online only.
|
•
|
•
|
•
|
|
RemoveFolderPermissions***
|
This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.
|
n/a
|
n/a
|
n/a
|
|
SearchQueryInitiated
|
This audit action is only available for E5/A5/G5 licenses. Audited when a user searches for items in a mailbox and available for Exchange Online only.
|
n/a
|
n/a
|
•
|
|
Send
|
This audit action is only available for E5/A5/G5 licenses. Audited when a user sends, replies or forwards an email and available for Exchange Online only.
|
•
|
n/a
|
•
|
|
SendAs
|
Message sent using Send As permissions.
|
•
|
•
|
n/a
|
|
SendOnBehalf
|
Message sent using Send on Behalf permissions.
|
•
|
•
|
n/a
|
|
SoftDelete
|
Item deleted from the Deleted Items folder.
|
•
|
•
|
•
|
|
Update
|
Item's properties are updated.
|
•
|
•
|
•
|
|
UpdateCalendarDelegation***
|
Another user was granted permissions to manager another users calendar.
|
•
|
n/a
|
•
|
|
UpdateComplianceTag
|
For Exchange Online only.
|
•
|
•
|
•
|
|
UpdateFolderPermissions****
|
Permissions to access another users folder and the messages in that folder have changed.
|
•
|
•
|
•
|
|
UpdateInboxRules***
|
An inbox rule has been created, deleted or modified.
|
•
|
•
|
•
|
* Does not apply to Exchange 2016, Exchange 2019 and Exchange Online.
** Does not apply to Exchange 2013.
*** Applies only to Exchange 2019 and Exchange Online.
Exchange allows you to set audit policy differently depending on 3 different logon
types when accessing a mailbox:
- -AuditOwner - the user accessing his/her own mailbox. Owner auditing is not normally
enabled.
- -AuditDelegate - this specifies the action to be audited by normal users who've
been given access to this mailbox and most actions by administrators.
- -AuditAdmin - most actions by administrators are audited by -AuditDelegate, not by this
setting, but some actions, when performed a certain way, result in the logon type
being considered an Admin and are only audited if enabled by this setting. To be safe,
configure this setting to match -AuditDelegate.
In the example below we are enabling auditing on John's mailbox and configuring
it to audit any delegate who sends email as John, or view his mailbox.
Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind
-AuditEnabled $true
You can also suppress “noise events” that are triggered by automated processes such
as virus scanners. To do so, disable mailbox auditing globally for specified application
accounts by using the
Set-MailboxAuditBypassAssociation
cmdlet.
Next:
Storage