Skip to content

Mailbox Audit Logging in Exchange and Microsoft 365

Mailbox audit logging is a feature in Exchange and Microsoft 365 that enables you to track changes made to user mailboxes and their contents. When mailbox audit logging is enabled, Exchange and Microsoft 365 record a variety of mailbox-related events in the mailbox audit log, such as:

  • Mailbox logons and logoffs
  • Non-owner mailbox access
  • Folder-level actions, such as moving or deleting messages
  • Message-level actions, such as sending or receiving messages
  • Configuration changes, such as creating or deleting mailbox rules or delegates

By reviewing the mailbox audit logs, you can identify who made changes to a mailbox, what changes were made, and when they were made. This information can help you investigate security incidents, comply with regulatory requirements, and monitor user behavior.

To enable mailbox audit logging in Exchange or Microsoft 365, you can use the Exchange Admin Center (EAC) or PowerShell:

ManageEngine Applications Manager

Using the Exchange Admin Center:

active directory auditing solutions
  1. Go to the Exchange Admin Center in your web browser and sign in with an account that has the necessary permissions.
  2. Click on the “Compliance Management” tab and then click on “Auditing” in the left-hand menu.
  3. Click on the “+” button to create a new mailbox audit log search.
  4. Configure the search criteria, such as the mailboxes to audit, the events to audit, and the date range to audit.
  5. Click “Save” to create the search and start the audit logging process.

Using PowerShell:

  1. Open the Exchange Management Shell as an administrator.
  2. Run the following command to enable mailbox audit logging for a specific mailbox:Set-Mailbox -Identity "user@example.com" -AuditEnabled $trueReplace “user@example.com” with the email address of the mailbox you want to audit.
  3. Run the following command to configure the audit log search:New-MailboxAuditLogSearch -Identity "Search Name" -LogonTypes Owner,Delegate -ShowDetails -StartDate "01/01/2021" -EndDate "02/28/2023" -StatusMailRecipients "admin@example.com"Replace “Search Name” with a descriptive name for the search, and replace “admin@example.com” with the email address of the administrator who will receive the audit log search results.
  4. Run the following command to start the audit logging process:Start-MailboxAuditLogSearch -Identity "Search Name"Replace “Search Name” with the name of the audit log search you created in step 3.

Once mailbox audit logging is enabled, you can review the audit logs using the EAC or PowerShell. It’s important to note that mailbox audit logging can generate a large amount of log data, so you may need to configure storage limits and retention policies to manage the logs effectively.