Settings for non-owner mailbox access audit: manual configuration

If you plan to manually apply the audit settings required to audit non-owner mailbox access in Exchange Online organization, you will need to create a remote PowerShell session to Exchange Online. Do the following:

  1. Install the Exchange Online PowerShell V2 module as described in this Microsoft article.
  2. IMPORTANT! Make sure to install the latest version.

  3. Launch PowerShell and connect to Exchange Online, as described in the related section of the Microsoft article.
  4. Run the cmdlet, depending on the mailboxes you plan to audit (all mailboxes or selected individual mailbox):
For Command

All

Execute the following cmdlet:

Get-ExoMailbox -PropertySets Minimum -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox | Set-Mailbox -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create

Selected

Execute the following cmdlet:

Set-Mailbox -Identity {0} -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create

Where the {0} character must be replaced with any of the following:

  • Display Name. Example: "Michael Jones"
  • Domain\User. Example: enterprise.local\MJones
  • Email address. Example: analyst@enterprise.onmicrosoft.com
  • GUID. Example: {c43a7694-ba06-46d2-ac9b-205f25dfb32d}
  • LegacyExchangeDN. Example: /o=EnterpriseDev/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=97da560450c942aba
    81b2da46c60858a-analyst
  • SamAccountName. Example: MANAG58792-1758064122
  • (DN) Distinguished name. Example: CN=MJones,CN=Users,DC=enterprisedc1,DC=enterprise,DC=local
  • User ID or User Principal Name. Example: MJones@enterprise.onmicrosoft.com

NOTE: If you are going to audit multiple individual mailboxes, run the cmdlet for each mailbox you need.