Configure Infrastructure for Monitoring Exchange Online

You can configure your Exchange Online for monitoring in one of the following ways:

  • Automatically when creating a monitoring plan. If you select to configure audit on the target Exchange Online automatically, your current settings will be checked on each data collection and adjusted if necessary.

  • Manually. Special manual configuration steps only required if you are going to track non-owner mailbox access within your Exchange Online organization. In this case, you need to create a remote Shell session to Exchange Online. For detailed instructions on how to create a remote session, read the following Microsoft article: Connect to Exchange Online using remote PowerShell.

Perform the steps in the table below to start auditing mailbox access your Exchange Online organization.

Track... Steps...

All mailboxes

  1. On the local computer, navigate to Start Programs Windows PowerShell.

  2. Connect to your Exchange Online.
  3. Execute the following command:

    Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox | Set-Mailbox -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,MessageBind,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create

Audit selected mailbox

  1. On the local computer, navigate to Start Programs Windows PowerShell.

  2. Connect to Exchange Online.
  3. Execute the following command:

    Set-Mailbox -Identity {0} -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,MessageBind,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create

    Where the {0} character must be replaced with one of the following:

    • Display Name. Example: "Michael Jones"
    • Domain\User. Example: enterprise.local\MJones
    • Email address. Example:
    • GUID. Example: {c43a7694-ba06-46d2-ac9b-205f25dfb32d}
    • LegacyExchangeDN. Example: /o=EnterpriseDev/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=97da560450c942aba
    • SamAccountName. Example: MANAG58792-1758064122
    • (DN) Distinguished name. Example: CN=MJones,CN=Users,DC=enterprisedc1,DC=enterprise,DC=local
    • User ID or User Principal Name. Example:

NOTE: If you are going to audit multiple individual mailboxes, repeat these steps for each mailbox.