How to Configure Exchange Mailbox Auditing

You can configure auditing on an individual mailbox basis by using the Set-Mailbox cmdlet. This cmdlet allows you to specify

  • Which operations are audited
  • Which types of users are audited
  • If auditing is enabled on the mailbox
  • How long entries are kept

Actions that can be audited for each logon type:

Action Description Administrator Delegate Owner

Copy

Item copied to another folder.

n/a

n/a

Create

Item created in the mailbox. (For example, a message is sent or received.) Folder creation isn't audited.

FolderBind

A mailbox folder is accessed. Note: MS says "Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours." The time span is now 24 hours in Exchange 2016, 2019 and Online.

•*

HardDelete

Item deleted permanently from the Recoverable Items folder.

MailboxLogin

The user signed in to their mailbox.

n/a

n/a

•**

MessageBind

Item accessed in the reading pane or opened.

n/a

n/a

Move

Item moved to another folder.

MoveToDeletedItems

Item moved to the Deleted Items folder.

SendAs

Message sent using Send As permissions.

n/a

SendOnBehalf

Message sent using Send on Behalf permissions.

n/a

SoftDelete

Item deleted from the Deleted Items folder.

Update

Item's properties are updated.

UpdateCalendarDelegation***

Another user was granted permissions to manager another users calendar.

n/a

UpdateFolderPermissions****

Permissions to access another users folder and the messages in that folder have changed.

UpdateInboxRules***

An inbox rule has been created, deleted or modified.

* Does not apply to Exchange 2016, Exchange 2019 and Exchange Online.
** Does not apply to Exchange 2013.
*** Exchange Online only.
**** Exchange Online only. We have not been able to reproduce this action but have been able to reproduce "AddFolderPermissions" and "RemoveFolderPermissions". We believe that the later two have replaced the "UpdateFolderPermissions" action.

Exchange allows you to set audit policy differently depending on 3 different logon types when accessing a mailbox:

  • -AuditOwner - the user accessing his/her own mailbox. Owner auditing is not normally enabled.
  • -AuditDelegate - this specifies the action to be audited by normal users who've been given access to this mailbox and most actions by administrators.
  • -AuditAdmin - most actions by administrators are audited by -AuditDelegate, not by this setting, but some actions, when performed a certain way, result in the logon type being considered an Admin and are only audited if enabled by this setting. To be safe, configure this setting to match -AuditDelegate.

In the example below we are enabling auditing on John's mailbox and configuring it to audit any delegate who sends email as John, or view his mailbox.

Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind
-AuditEnabled $true

You can also suppress “noise events” that are triggered by automated processes such as virus scanners. To do so, disable mailbox auditing globally for specified application accounts by using the Set-MailboxAuditBypassAssociation cmdlet.

Next: Storage

 

Additional Resources