Microsoft Exchange Online Auditing

by | Jun 4, 2018 | Infrastructure | 0 comments

In today’s world, security is something that should be near the forefront of every administrator’s mind. With so many constant threats to our systems occurring daily, it makes sense to keep a close watch on what’s going on. Mailbox compromise happens every day, from both external attackers and internal actors (disgruntled employees, for example). If you’re using Microsoft’s Exchange Online, auditing should be one of the tools in your kit. It is included as part of the base Exchange Online product so it costs you nothing additional outside of the fees you are already paying.

However, not all of the mailbox auditing features are turned on by default. Here’s a quick primer on actions you can take to turn it on for existing mailboxes, as well as how to make sure it’s turned on for all future ones as well.

Leveraging the Auditing Features

The one audit category that is enabled by default is administrative audit logging records.  This is any action, based on an Exchange Management Shell cmdlet, performed by an administrator.

Mailbox audit logging records are not audited by default. These are records are logs of when a mailbox is accessed by an administrator, the person who owns the mailbox, or a delegated user. To enable mailbox audit logging, you will need to run this command:

Set-Mailbox -Identity user -AuditEnabled $true

Mailbox audit logging records are split into three separate categories: administrative, owner, and delegate. To enable the auditing for each category, perform the following commands (replace <options> with the actions that suit your auditing needs):

Set-Mailbox -Identity user -AuditAdmin <options> -AuditEnabled $true

Set-Mailbox -Identity user -AuditOwner <options> -AuditEnabled $true

Set-Mailbox -Identity user -AuditDelegate <options> -AuditEnabled $true

For more information about those options, review Mailbox audit logging in Exchange 2016.

Audit logging records are stored inside the Exchange Online mailboxes. By default, the records are kept for 90 days. To change it (in this example, it is set to 365 days), perform the following command:

Set-Mailbox -Identity user -AuditLogAgeLimit 365

Finally, to review existing auditing logs, you can use the Security Center in Office 365. Search the audit log in the Office 365 Security & Compliance Center.

Enabling auditing after the event occurs will not magically reveal to you all of the actions that took place beforehand—actions that could lead you to the source of the attack. By enabling auditing on all of your mailboxes immediately, you can ensure that you can accurately produce a timeline of happenings after an event occurs. Consider taking action right away to take advantage of this free, built-in feature of Exchange Online!

  • Set auditing now on all of your existing mailboxes.
  • Update your provisioning checklists to enable auditing on all new mailboxes.
  • Finally, regularly audit (get it?) your existing mailboxes to ensure that auditing is turned on for all of them. Make this part of your daily/weekly/monthly task list.

Auditing is just one way to help with your security peace of mind.  Contact us at to learn more about a comprehensive plan to ensure you are prepared to proactively prevent or reactively address the constant threats your organization is facing.