Enable mailbox auditing in Office 365 (Exchange Online) by using the following steps:
- Connect to Exchange Online using Remote PowerShell.
- Run the following command to enable mailbox auditing for a specific mailbox:
Set-Mailbox -Identity "<MailboxName>" -AuditEnabled $trueReplace<MailboxName>with the name of the mailbox that you want to enable auditing for. - Run the following command to enable mailbox auditing for all mailboxes in your organization:
Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq 'SharedMailbox')} | Set-Mailbox -AuditEnabled $true - By default, only owner actions are audited. If you want to audit non-owner actions as well, run the following command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true - To configure mailbox audit logging for specific actions, run the following command:
Set-Mailbox -Identity "<MailboxName>" -AuditOwner Create,SoftDelete,HardDelete,Move,MoveToDeletedItems,MoveToFolder -AuditDelegate SendOnBehalf,CreateReplace<MailboxName>with the name of the mailbox that you want to configure auditing for. The-AuditOwnerand-AuditDelegateparameters specify which actions to audit for mailbox owners and delegates, respectively. - To view the audit log entries, run the following command:
Search-UnifiedAuditLog -StartDate <StartDate> -EndDate <EndDate> -RecordType MailboxAudit -ResultSize <ResultSize>Replace<StartDate>and<EndDate>with the date range for the audit log entries, and<ResultSize>with the number of entries to display.
By enabling mailbox auditing, you can track mailbox activity, including changes to mailbox settings, access to mailbox folders, and messages sent and received. This can help you detect and investigate suspicious activity and meet regulatory compliance requirements.