How to Configure Exchange Mailbox Auditing

You can configure auditing on an individual mailbox basis by using the Set-Mailbox cmdlet. This cmdlet allows you to specify

  • Which operations are audited
  • Which types of users are audited
  • If auditing is enabled on the mailbox
  • How long entries are kept

Actions that can be audited for each logon type:

Action Description Administrator Delegate Owner

AddFolderPermissions***

This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.

n/a

n/a

n/a

ApplyRecord

This mailbox action is enabled by default. It is not configurable and available for Exchange Online only.

Copy

Item copied to another folder.

n/a

n/a

Create

Item created in the mailbox. (For example, a message is sent or received.) Folder creation isn't audited.

FolderBind

A mailbox folder is accessed. Note: MS says "Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours." The time span is now 24 hours in Exchange 2016, 2019 and Online.

n/a

HardDelete

Item deleted permanently from the Recoverable Items folder.

MailboxLogin

The user signed in to their mailbox.

n/a

n/a

•**

MailItemsAccessed

This audit action is only available for E5/A5/G5 licenses. It replaces MessageBind in Exchange Online and available for Exchange Online only.

MessageBind

Item accessed in the reading pane or opened. Although this value is accepted it is no longer logged.

n/a

n/a

ModifyFolderPermissions***

This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.

n/a

n/a

n/a

Move

Item moved to another folder.

MoveToDeletedItems

Item moved to the Deleted Items folder.

RecordDelete

Item soft deleted and moved to the Recoverable Items folder. These items can not be permanently deleted. For Exchange Online only.

RemoveFolderPermissions***

This mailbox action is included in the UpdateFolderPermissions action and isn't audited seperately. It is included in this chart because it is listed an audit option in Exchange.

n/a

n/a

n/a

SearchQueryInitiated

This audit action is only available for E5/A5/G5 licenses. Audited when a user searches for items in a mailbox and available for Exchange Online only.

n/a

n/a

Send

This audit action is only available for E5/A5/G5 licenses. Audited when a user sends, replies or forwards an email and available for Exchange Online only.

n/a

SendAs

Message sent using Send As permissions.

n/a

SendOnBehalf

Message sent using Send on Behalf permissions.

n/a

SoftDelete

Item deleted from the Deleted Items folder.

Update

Item's properties are updated.

UpdateCalendarDelegation***

Another user was granted permissions to manager another users calendar.

n/a

UpdateComplianceTag

For Exchange Online only.

UpdateFolderPermissions****

Permissions to access another users folder and the messages in that folder have changed.

UpdateInboxRules***

An inbox rule has been created, deleted or modified.

* Does not apply to Exchange 2016, Exchange 2019 and Exchange Online.
** Does not apply to Exchange 2013.
*** Applies only to Exchange 2019 and Exchange Online.

Exchange allows you to set audit policy differently depending on 3 different logon types when accessing a mailbox:

  • -AuditOwner - the user accessing his/her own mailbox. Owner auditing is not normally enabled.
  • -AuditDelegate - this specifies the action to be audited by normal users who've been given access to this mailbox and most actions by administrators.
  • -AuditAdmin - most actions by administrators are audited by -AuditDelegate, not by this setting, but some actions, when performed a certain way, result in the logon type being considered an Admin and are only audited if enabled by this setting. To be safe, configure this setting to match -AuditDelegate.

In the example below we are enabling auditing on John's mailbox and configuring it to audit any delegate who sends email as John, or view his mailbox.

Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind
-AuditEnabled $true

You can also suppress “noise events” that are triggered by automated processes such as virus scanners. To do so, disable mailbox auditing globally for specified application accounts by using the Set-MailboxAuditBypassAssociation cmdlet.

Next: Storage

 

Upcoming Webinars
    Additional Resources