Understanding Mailbox Auditing Reports in Office 365

Published: Jul 03, 2012

SHARE ARTICLE

For administrators of Office 365, one of the functions of your role may be to create auditing reports for Exchange Online. This article helps you to understand the different auditing reports that are available in Office 365, and describes why they are useful and how to create them.

There are 5 types of auditing reports available in Office 365 (Exchange Online). They are:

  • Non-owner mailbox access
  • Export mailbox audit logs
  • Litigation hold report
  • Administrator role group report
  • Export administrator audit logs

This article focuses on the non-owner mailbox access reports. It describes the non-owner mailbox access report, and the options available for it.

Non-Owner Mailbox Access Reports in Office 365

The Non-owner mailbox access report identifies mailboxes that have been accessed by somebody other than the mailbox owner, and the actions that were taken by the non-owner.

When auditing is enabled on a mailbox, an audit record is created any time that mailbox is accessed by a non-owner. The non-owner access report quickly shows that access. This is ideal for legal cases in which you need to be able to identify any access other than the owner of the mailbox, or to ensure that the companies’ privacy standards are being upheld.

But auditing on accounts is not enabled by default. Before audit records are saved for mailbox access, auditing must be set on the user accounts. This can only be done through a PowerShell administrative session. I describe how to set up PowerShell to connect to Exchange Online in my article, How To Get Mailbox Sizes in Office 365 with PowerShell. Once you’ve established a PowerShell session for Exchange Online, you can set auditing for a mailbox using the Set-Mailbox command:

Set-Mailbox <Identity> –AuditEnabled $true

Or, you could turn on auditing for your whole organization like this:

Get-Mailbox | Where-Object {$_.RecipientTypeDetails –eq “UserMailbox”} |
Set-Mailbox –Auditenabled $true

Once enabled, auditing will report not only who accessed the account and when, but it also keeps track of what actions the non-owner took. However, it will not report auditable actions that took place before auditing was turned on. So when you enable auditing, you start getting entries at that time, but not before auditing was enabled.

User Access: Administrators and Delegated Users

There are two types of non-owners that can access an account: Administrators and Delegated Users. Administrators are the people responsible for the maintenance of Exchange Online; Delegated Users are people that have been assigned permission to the account. There are several actions that Exchange Online will log for different user types. For example, some account actions such as moving a mail message or sending an email on behalf of the mailbox owner are deemed appropriate behavior for a delegated user.

This is a list of actions that are able to be tracked through auditing. Since some of the actions are not tracked by default for a user type, the default audit state of those actions are listed for both types of user types.

Action
Description
Administrators
Delegated Users
Update Change a message Yes Yes
Copy Copy message to a folder No No
Move Move message to a folder Yes No
MoveToDeletedItems Move message to Deleted Items
folder
Yes No
SoftDelete Delete message from the Deleted Items
folder
Yes Yes
HardDelete Purge message from Recoverable Items
folder
Yes Yes
FolderBind Access a folder Yes No
SendAs Send message using SendAs permission (really looks like
the mailbox owner sent it)
Yes Yes
SendOnBehalf Send message using SendOnBehalf permission (identifies
the message as being sent by someone other than mailbox owner)
Yes No
MessageBind View message in preview pane or open message No No

The actions that are audited, as listed in this table, are the defaults, but they can be changed. If you want to see which actions are currently configured to be logged on an account, you can look at the properties AuditAdmin and AuditDelegate. For example, my mailbox is named Michael, so I can run this command to find out what actions are logged for delegated users that have permission to access my mailbox:

​Get-Mailbox Michael | Select-Object  –ExpandProperty
AuditDelegate

How to Add an Audited Action for Administrators and Delegated Users

You can set individual actions to be audited using the AuditAdmin and AuditDelegate parameters of the Set-Mailbox cmdlet. Here are some examples of setting the actions on the “Michael” mailbox. This can just as easily administer all of the user accounts, or a subset of user accounts.

First, load the accounts you want to modify the action audit settings for into a variable:

​$mb = Get-Mailbox "Michael"

Note: This is how you can easily group together multiple mailboxes to administer, including all mailboxes for an organization. Putting the mailboxes into a variable like this helps the rest of the commands to be shorter and look uniform. It also puts an emphasis on separating the “get mailboxes to administer” part of our task from the “what to do with the mailboxes” part. Keep in mind that the following commands will set the values for every mailbox in the $mb variable, whether it’s one mailbox or 1,000

• Set Audited Actions for Administrators to only be HardDelete:

​$mb | Set-Mailbox –AuditAdmin HardDelete

• Set Audited Actions for Administrators to only be HardDelete, and Audited Actions for Delegates to be only SendAs:

​$mb | Set-Mailbox –AuditAdmin HardDelete –AuditDelegate SendAs

• Set More than One Audited Action for One of the Audit Types by using a Comma:

​$mb | Set-Mailbox –AuditAdmin SoftDelete,HardDelete

Since the –AuditAdmin and –AuditDelegate parameters of the Set-Mailbox cmdlet overwrite any previous actions that were in there, you will need to write back any actions that you want to keep. If you want to add an action to be audited, and still keep the actions already audited, you can use this technique, which stores the actions in an array, adds an action to the array, and then sets the audit actions back as an updated list:

​$mb | Foreach-Object {
[array]$actions = $_.AuditAdmin

if ($actions –notcontains “SendAs”) { $actions += “SendAs” }

Set-Mailbox –AuditAdmin $actions
}

Likewise, if you wanted to keep all of the present audit actions except one, you can do the same. Save the current actions into an array, remove from the array the action you no longer want to audit, and then save the list of actions back to the mailbox:

​$mb | Foreach-Object {
[array]$actions = $_.AuditAdmin
$actions =
$actions | Where-Object {$_ –ne “SendAs” }
Set-Mailbox –AuditAdmin $actions
}

Now that you’ve set up the auditing that you want to do, you will be ready to run your reports. If you have just turned on auditing, then your reports will be empty. Without auditing enabled on the accounts, then the audit logs are not updated. So you cannot, therefore, turn on auditing on a Thursday and see what happened on that Monday. If you turn on auditing, only audit entries that happened after auditing was enabled will be in the audit logs.

To run a report, go to the admin panel of Exchange Online (click “General Settings” from the Outlook section on the Office 365 Admin page), then:

  1. Ensure “Manage My Organization” is selected from the Options dropdown.
  2. Select Roles & Auditing from the left side menu.
  3. Select Auditing from the tab menu
  4. Click “Run a non-owner mailbox access report”
  5. Select any mailbox returned in the search results for details of actions taken

This provides an initial report which displays access to the accounts within the last two weeks. The dates can be customized to show access between certain dates, as can the types of non-owners that you want to run the report against: Delegated Users; Administrators and External Users (which is the access of Microsoft datacenter administrators).

Conclusion

One frequently used report that organizations running Exchange Online and Office 365 may want to run is the non-owner mailbox access report, which reports not only who accessed the mailbox and when, but the specific actions taken as well.

Auditing must be enabled on each mailboxes individually, and that is performed through a PowerShell administrative session. You can specify which actions are recorded in the audit logs. Once set up, you can run a report through the Exchange Online administrator panel.

SHARE ARTICLE