Exchange 2013: Mailbox Auditing on Shared mailbox
Let’s take a look at Mailbox auditing using Exchange 2013.
Mailbox Audit logging is an excellent feature available, in Exchange 2007, 2010 and 2013 to find who has modified, moved or deleted emails from a shared mailbox. Let us learn more on how we can enable the Mailbox Audit logging and its advantages.
I am taking an example of a shared mailbox using by one team and all team members are already has full mailbox access or read only access on this mailbox.
Mailbox Audit logging feature is not enabled by default, administrator has to enable manually. This has the following default configuration in Exchange Server 2013:
Mailbox audit logging is disabled
Audit log entries are retained for 90 days
No owner actions are logged
Some delegate and administrator actions are logged
Use the following command to find the default settings of Mailbox Audit
Get-Mailbox ExchangeTeam |fl *audit*
How to enable Mailbox Audit Logging and how it works
We can enable and manage Auditing through both PowerShell command and Exchange Admin Centre. When we enabled mailbox audit logging for a mailbox, audit log entries are stored in the Recoverable Items folder of the mailbox; this folder is not visible to the mailbox user via Outlook or any other client interfaces. Logs are written for the user actions taken by the mailbox owner, delegates, or by administrators, depending on the audit logging configuration set on the mailbox. Retention of these mailbox audit log entries can also be configured based on the requirement (up to 68 years).
Recoverable Items folder: This recoverable items folder includes important information such as client IP address, host name, process/client used to access the mailbox etc.
There are 3 levels of auditing for a mailbox as below:
Administrator: Audits mailbox moves, imports/exports from PSTs, mailbox discovery searches and actions performed using the MFCMapi tool;
Owner: Audits all actions taken by the owner of the mailbox.
Delegates: Audits SendAs, SendOnBehalf and FullAccess permission on someone’s mailbox.
To enable/disable the mailbox audit logging use the below command:
Set-Mailbox ExchangeTeam –AuditEnabled $True àTo enable
Set-Mailbox ExchangeTeam –AuditEnabled $False àTo Disable
Get-Mailbox –ResultSize Unlimited | Set-Mailbox –auditEnabled :$True àFor all users (maybe not a good idea or require additional planning)
NOTE: We can also enable mailbox audit logging automatically while creating the mailbox using Scripting Agent which is cmdlet extension agents in Exchange Server 2013.
Find Database Storage Mailbox Audit Log Consume
Normally Administrators are not interested to enable this future on their organization. One of the reason could be, as I already mentioned, Mailbox audit log data is stored in a folder named Audits under the Recoverable Items folder of the mailbox. But when you see the mailbox audit logging, using the default retention of 90 days and other audit settings, adds about 1-2% to the size of the mailbox. This may vary depends on what all audit options we have turned on, how many shared mailbox we have and delegate actions.
To see how much size that the recoverable Items folder occupied, user the below command:
Get-Mailbox ExchangeTeam | Get-MailboxFolderStatistics –FolderScope RecoverableItems | fl name,foldersize
Microsoft MVP | Exchange Server