Friday 8 May 2015

Setup and search mailbox auditing logs in Exchange 2013

Mailbox auditing is used for monitoring actions taken within a mailbox, including users who have delegated access.

Auditing is setup on a per mailbox basis and has varying scope levels - for example you can audit specifically users who have been delegated access to the mailbox only.

The following information is recorded as part of an audit log:

Client IP Address
User Agent / Client

The audit logs are stored within the recoverable items folder of the audited user's mailbox for (by default) a period of 90 days.

In order to enable auditing on a specific mailbox we can use the Set-Mailbox cmdlet:

Set-Mailbox -Identity "Joe Bloggs" -AuditEnabled $true

or for a delegated:

Set-Mailbox -Identity "Joe Bloggs" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true

Once we have enabled auditing we will likely want to export those logs at some point:

From ECP go to: Compliance Management > Auditing. Click Export mailbox audit logs.

Finally we can search through the mailbox audit logs with the New-MailboxAuditLogSearch cmdlet:

New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes "Joe Bloggs" -LogonTypes Admin,Delegate -StartDate 05/20/2015 -EndDate 05/31/2015 -StatusMailRecipients

The above command looks for any logins from Admins / Delegates to the Joe Bloggs mailbox and sends the results to


Post a Comment