MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Mailbox audit logging in Exchange 2016

As the mailboxes contain sensitive, high business impact (HBI) information and personally identifiable information (PII) it is essential to keep a track on who logs in to the mailboxes and what actions are taken, especially to have a track of access to mailboxes by Delegated user access (other than mailbox owners).

Mailbox audit logging feature helps to trace the logs of mailbox access by owner, Delegates and Administrator. Mailbox audit logging records IP address, host name, and process or client used to access the mailbox.

Once the mailbox audit logging enabled on the mailbox, the mailbox audit logs will generate and store in Recoverable Items folder in the audited mailbox in the Audits subfolder, irrespective of which client access method was used to access the mailbox or which server or computer an administrator uses to access the mailbox audit log.

NOTE: Mailbox movement also moves the mailbox audit logs for that mailbox as these logs are located in the mailbox.

Enable mailbox audit logging

Enable Mailbox logging

Set-Mailbox <Identity> -AuditEnabled $true

Get-Mailbox |fl name,AuditEnabled

Get-Mailbox <Identity> |fl name,AuditEnabled,AudiLogAgeLimit


Use the below cmdlet to enable audit logging for all mailboxes in the organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Disable Mailbox logging

Set-Mailbox <Identity> -AuditEnabled $false

Mailbox audit logs:

Mailbox audit log entries are store in Recoverable Items folder in the audited mailbox and the retention period of these audit logs is 90 days by default, if required we can increase the retention period by using AuditLogAgeLimit parameter with Set-Mailbox cmdlet. If any mailbox is on In-Place Hold or Litigation Hold, audit log entries are retained until the audit log retention period of the mailbox. To hold the audit log entries for longer period, need to increase the retention period.


Change the change age limit for mailbox audit log entries:

Set-Mailbox -Identity <user>” -AuditLogAgeLimit numberofdaysto keep


Use the below cmdlet to change age limit for mailbox audit log entries for all user mailboxes in the organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditLogAgeLimit 180

Mailbox actions logged by mailbox audit logging (TechNet):

Action Description Admin Delegate*** Owner
Copy An item is copied to another folder Yes No No
Create An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn’t audited. Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes** No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes
SendAs A message is sent using Send As permissions. Yes* Yes* No
SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No
SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes
Update An item’s properties are updated. Yes* Yes* Yes

Enable/Disable mailbox audit logging:

Once we enable mailbox audit logging for a mailbox, certain actions performed by administrators and delegates are logged by default. But none of the actions performed by the mailbox owner are logged by default.

NOTE: Auditing of mailbox owner actions generates a large number of mailbox audit log entries; hence it is not enabled by default. It is recommended to enable auditing of specific owner actions only when there is a business/compliance requirement.

Set-Mailbox <Identity> -AuditEnabled $true

Get-Mailbox |fl name,AuditEnabled


Use the below command to Enable audit logging for all mailboxes in the organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Disable the mailbox audit logging:
Set-Mailbox <Identity> -AuditEnabled $false


Search Mailbox Audit Logs:

We can use the below methods to search mailbox audit log entries:

  • Synchronously search a single mailbox:  Search-MailboxAuditLog cmdlet performs a synchronous search of mailbox audit logs for one or more mailboxes and the results will be displayed in shell.
Cmdlet:
					Search-MailboxAuditLog -Identity <username> -LogonTypes Admin,Delegate -StartDate 10/1/2015 -EndDate 1/1/2016 -ResultSize 2000

  • Asynchronously search one or more mailboxes: Using New-MailboxAuditLogSearch cmdlet we can create a mailbox audit log search to asynchronously search mailbox audit logs for one or more mailboxes, and results will be sent to specified email addres as an XML attachment.
Cmdlet:
					New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes "<User1>","<>User2" -LogonTypes Admin,Delegate -StartDate 10/1/2015 -EndDate 1/1/2016 -StatusMailRecipients <emailaddressof the auditor>

  • Use auditing reports in the Exchange admin center (EAC):  using Auditing tab under Exchange Admin Center we can run a non-owner mailbox access report (contains entries for admin and delete actions) or export mailbox audit log as below:

Open EACàCompliance ManagementàAuditingàClick on Export Mailbox Audit logs:


Under Export Mailbox Audit logs window, provide the details and click on Export:

  • Start and end dates: Set the date range for the entries are exported.
  • Mailboxes to search audit log: Select the mailboxes to retrieve audit log entries for or leave it blank to find for all mailboxes.
  • Type of non-owner access: Select one of the following options to define the type of non-owner access:
    • All non-owners: Access by administrators and delegated users inside the organization, and by Microsoft datacenter administrators in Exchange Online.
    • External users: Access by Microsoft datacenter administrators.
    • Administrators and delegated users: Access by administrators and delegated users inside the organization.
    • Administrators: Access by administrators in the organization.
  • Recipients: Select the users to send the mailbox audit log.

The Exported logs will be sent to the defined user/auditor as an .XML attachment. User/auditor can access these logs using outlook or webmail.

NOTE: By Default, Outlook Web App blocks XML attachments. When we export the mailbox audit log, Microsoft Exchange attaches the audit log in XML format; hence it is important to use Microsoft Outlook or configure Outlook Web App to allow XML attachments. Use the below cmdlets to enable the same.

Add the XML to the list of allowed file types in Outlook Web App

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}

Remove XML from the blocked file types list in Outlook Web App.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

3 Responses to “Mailbox audit logging in Exchange 2016”

  1. Weekly IT Newsletter – January 4-8, 2016 | Just a Lync Guy Says:

    […] Mailbox audit logging in Exchange 2016 […]

  2. NeWay Technologies – Weekly Newsletter #181 – January 8, 2016 | NeWay Says:

    […] Mailbox audit logging in Exchange 2016 […]

  3. NeWay Technologies – Weekly Newsletter #181 – January 7, 2016 | NeWay Says:

    […] Mailbox audit logging in Exchange 2016 […]

Leave a Reply

Categories

Archives

MSExchangeGuru.com