Did you ever receive inquiries about strange mailbox behavior like users state that mails have been deleted without any interaction of the mailbox owner? In cases like this, you are happy to enable Mailbox Audit Logging on the affected mailbox.
This post is about how to enable Mailbox Audit Logging on a certain mailbox and configure the auditing parameters to provide the most relevant insights. Let’s get to the point straight away:
Enable Mailbox Audit Logging on a mailbox
Check the audit status on a certain mailbox:
get-mailbox -Identity MailboxName | select PrimarySmtpAddress, *audit* | fl
Enable Mailbox Audit Logging:
get-mailbox -Identity MailboxName | Set-Mailbox -AuditEnabled $True
If your output is truncated with ellipses (…) change the $FormatEnumerationLimit value.
Define operations that should be audited:
Depending on what circumstances make a mailbox audit logging necessary you can change the predefined audit operations to more relevant ones. Find a list of actions logged by mailbox audit logging here.
Usually, I completely change the actions for AuditOwner. AuditOwner = MailboxOwner
To do so use the following command:
Adjust the logged actions according to the list by Microsoft mentioned above.
Use -AuditAdmin or -AuditDelegate instead of -AuditOwner to change logged operations for Admin or Delegates.
Search Mailbox Audit Logs
Define your query:
The Search-MailboxAuditLog CMDlet seems only to work out of an Exchange Management Shell. Out of an ISE loaded with an Exchange PS-Snapin, I always get an error.
Undoubtedly the filter for date ranges in connection with the Search-MailboxAuditLog CMDlet is somewhat imprecise. If you want to query a range from 3 days ago until today for instance I recommend setting the end date of the query to the date of tomorrow. Otherwise, it can happen that no results will be shown for the current day or even the day before.
Some notes to the query above:
-StartDate/-EndDate: The date format can vary depending on the regional settings of your system!
-LogonTypes: Narrow down your query to logon types you are interested in.
Operation: Displays the logged action.
ClientIpAddress: Shows the IP address of the client respectively the source network outgoing IP address.
ClientInfoString: Shows client connection types like RPC, ActiveSync, OWA
ClientProcessName: For example OUTLOOK.exe
SourceItemSubjectslist: The subject of mails where an action has been logged with.
I recommend to use only relevant selectors when searching an audit log.
Displaying all selectors can make the output confusing or will not fit in at all.
Stay safe folks!