Mailbox audit logging in Exchange Server (2024)

Table of Contents
In this article Mailbox audit logs Enabling mailbox audit logging Mailbox actions logged by mailbox audit logging Searching the mailbox audit log Mailbox audit log entries More information FAQs
  • Article

Because mailboxes can contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it's important that you track who logs on to the mailboxes in your organization and what actions are taken. It's especially important to track access to mailboxes by users other than the mailbox owner. These users are referred to as delegate users.

By using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators.

When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) will be logged for a logon type (administrator, delegate user, or owner). Audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.

Mailbox audit logs

Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder. This ensures that all audit log entries are available from a single location, regardless of which client access method was used to access the mailbox or which server or computer an administrator uses to access the mailbox audit log. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.

By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet. If a mailbox is on In-Place Hold or Litigation Hold, audit log entries are only retained until the audit log retention period for the mailbox is reached. To retain audit log entries longer, you have to increase the retention period by changing the value for the AuditLogAgeLimit parameter. You can also export audit log entries before the retention period is reached. For more information, see:

See Also
Recover deleted messages in a user's mailbox in Exchange OnlineDeleting and recovering emails in Office 365Manage audit log retention policiesGet-AuditLogSearch (ExchangePowerShell)

  • Export Mailbox Audit Logs

  • Create a Mailbox Audit Log Search

Enabling mailbox audit logging

Mailbox audit logging is enabled per mailbox. Use the Set-Mailbox cmdlet to enable or disable mailbox audit logging. For details, see Enable or disable mailbox audit logging for a mailbox.

When you enable mailbox audit logging for a mailbox, access to the mailbox and certain administrator and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions should be audited.

Mailbox actions logged by mailbox audit logging

The following table lists the actions logged by mailbox audit logging, including the logon types for which the action can be logged. Note that an administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the age limit for audit log entries is reached.

ActionDescriptionAdminDelegateOwner
CopyAn item is copied to another folder.YesNoNo
CreateAn item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited.Yes1Yes1Yes
FolderBindA mailbox folder is accessed.Yes1Yes2No
HardDeleteAn item is deleted permanently from the Recoverable Items folder.Yes1Yes1Yes
MailboxLoginThe user signed in to their mailbox.NoNoYes3
MessageBindAn item is accessed in the reading pane or opened.YesNoNo
MoveAn item is moved to another folder.Yes1YesYes
MoveToDeletedItemsAn item is moved to the Deleted Items folder.Yes1YesYes
SendAsA message is sent using Send As permissions.Yes1Yes1No
SendOnBehalfA message is sent using Send on Behalf permissions.Yes1YesNo
SoftDeleteAn item is deleted from the Deleted Items folder.Yes1Yes1Yes
UpdateAn item's properties are updated.Yes1Yes1Yes

1 Audited by default if auditing is enabled for a mailbox.

See Also
Turn auditing on or off

2 Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.

3 Auditing for owner logins to a mailbox works only for POP3, IMAP4, or OAuth logins. It doesn't work for NTLM or Kerberos logins to the mailbox.

Searching the mailbox audit log

You can use the following methods to search mailbox audit log entries:

  • Synchronously search a single mailbox: You can use the Search-MailboxAuditLog cmdlet to synchronously search mailbox audit log entries for a single mailbox. The cmdlet displays search results in the Exchange Management Shell window. For details, see Search Mailbox Audit Log for a Mailbox.

  • Asynchronously search one or more mailboxes: You can create a mailbox audit log search to asynchronously search mailbox audit logs for one or more mailboxes, and then have the search results sent to a specified email address. The search results are sent as an XML attachment. To create the search, use the New-MailboxAuditLogSearch cmdlet. For details, see Create a Mailbox Audit Log Search.

  • Use auditing reports in the Exchange admin center (EAC): You can use the Auditing tab in the EAC to run a non-owner mailbox access report (contains entries for admin and delete actions) or export non-owner entries from the mailbox audit log. For details, see:

    • Run a non-owner mailbox access report

    • Export Mailbox Audit Logs

Mailbox audit log entries

The following table describes the fields logged in a mailbox audit log entry.

FieldPopulated with
OperationOne of the following actions:
Copy
Create
FolderBind
HardDelete
MailboxLogin
MessageBind
Move
MoveToDeletedItems
SendAs
SendOnBehalf
SoftDelete
Update
OperationResultOne of the following results:
Failed
PartiallySucceeded
Succeeded
LogonTypeLogon type of the user who performed the operation. Logon types include:
Owner
Delegate
Admin
DestFolderIdDestination folder GUID for move operations.
DestFolderPathNameDestination folder path for move operations.
FolderIdFolder GUID.
FolderPathNameFolder path.
ClientInfoStringDetails that identify which client or Exchange component performed the operation.
ClientIPAddressClient computer IP address.
ClientMachineNameClient computer name.
ClientProcessNameName of the client application process.
ClientVersionClient application version.
InternalLogonTypeThe type of internal user (a person in your organization) who performed the operation. The possible values for this field are the same ones as the LogonType field.
MailboxOwnerUPNMailbox owner user principal name (UPN).
MailboxOwnerSidMailbox owner security identifier (SID).
DestMailboxOwnerUPNDestination mailbox owner UPN, logged for cross-mailbox operations.
DestMailboxOwnerSidDestination mailbox owner SID, logged for cross-mailbox operations.
DestMailboxOwnerGuidDestination mailbox owner GUID.
CrossMailboxOperationInformation about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages between mailboxes).
LogonUserDisplayNameDisplay name of user who is logged on.
DelegateUserDisplayNameDelegate user display name.
LogonUserSidSID of user who is logged on.
SourceItemsItemID of mailbox items on which the logged action is performed (for example, move or delete). For operations performed on a number of items, this field is returned as a collection of items.
SourceFoldersSource folder GUID.
ItemIdItem ID.
ItemSubjectItem subject.
MailboxGuidMailbox GUID.
MailboxResolvedOwnerNameMailbox user resolved name in the format DOMAIN\ SamAccountName.
LastAccessedTime when the operation was performed.
IdentityAudit log entry ID.

More information

  • Administrator access to mailboxes: Mailboxes are considered to be accessed by an administrator only in the following scenarios:

    • In-Place eDiscovery is used to search a mailbox.

    • The New-MailboxExportRequest cmdlet is used to export a mailbox.

    • Microsoft Exchange Server MAPI Client and Collaboration Data Objects is used to access the mailbox.

  • Bypassing mailbox auditing logging: Mailbox access by authorized automated processes such as accounts used by third-party tools or accounts used for lawful monitoring can create a large number of mailbox audit log entries and may not be of interest to your organization. You can configure such accounts to bypass mailbox audit logging. For details, see Bypass a User Account From Mailbox Audit Logging.

  • Logging mailbox owner actions: For mailboxes such as the Discovery Search Mailbox, which may contain more sensitive information, consider enabling mailbox audit logging for mailbox owner actions such as message deletion.

Mailbox audit logging in Exchange Server (2024)

FAQs

What gets logged in the mailbox audit log? ›

Mailbox audit logging is turned on by default in all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.

Read On
How do I enable mailbox audit logging in exchange? ›

Sign into the Security & Compliance Center with your Office 365 Admin account. Select Search & Investigation, and then select Audit log search. Click on “Start recording user and admin activity”. If this doesn't come up, auditing has already been turned on for your organization.

Discover More Details
How do I turn off audit log in Microsoft Exchange? ›

You can turn on and off the audit log search by using the Security and Compliance Center portal (Search > Audit log search > Turn on auditing option) or using the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet in PowerShell.

Continue Reading
How to check exchange mailbox logs? ›

Message tracking records the message activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell to search for entries in the message tracking log by using specific search criteria.

See Details
What does the audit log reveal? ›

Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity. All of the devices in your network, your cloud services, and your applications emit logs that may be used for auditing purposes.

Find Out More
What data should be included in an audit log? ›

Audit logs comprise the following information:
  • Timestamp, location and TCP/IP protocol data.
  • Event description and tags.
  • Actors, groups, users, entity and device identification.
  • Action types.
  • Predefined metrics.
  • Data access, login attempts, failures and authentication information.
  • Error details.
Mar 13, 2023

Tell Me More
How to access exchange audit logs? ›

To access scoped activity logs from any Microsoft service, including Exchange mailbox activity logs, use the Search-UnifiedAuditLog cmdlet. The following audit activities are only accessible by search queries performed by an unrestricted admin.

Show Me More
How do I audit mailbox permission changes in Exchange Online? ›

Open the AdminDroid Office 365 Reporter. Navigate to Audit»Exchange»Mailbox Permission Changes»Folder Permissions report to track the mailbox folder permission changes and their details.

Explore More
How can I tell who accessed my Exchange mailbox? ›

How to Detect Who Was Accessing Shared Mailbox in Office 365
  1. Open Exchange Administration Center → Navigate to "Compliance Management" Auditing.
  2. Click "Run a non-owner mailbox access report". ...
  3. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.

Continue Reading
Can audit log be deleted? ›

You can delete old or unwanted logs to restore database space. You can choose to delete audit logs by table, by access logs, or by date range.

Show Me More

How do I turn off audit log? ›

The audit_log_disable variable can be set in a MySQL Server option file, in a command-line startup string, or at runtime using a SET statement; for example: SET GLOBAL audit_log_disable = true; Setting audit_log_disable to true disables the audit log plugin.

Read The Full Story
What is the audit logs role in exchange online? ›

You must be assigned the Audit Logs role in Exchange Online to turn auditing on or off. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

See Details
How do I clean up Exchange mailbox logs? ›

The safest way to clear Exchange log files automatically is to create Volume Shadow Service-based backups using the Windows Server Backup in Exchange Server. You may also use a third-party Exchange-aware backup service or software to create backups and purge the transaction logs.

Get More Info Here
Where are Exchange Server logs located? ›

By default, the connectivity log files exist in these locations: Mailbox servers: Transport service: %ExchangeInstallPath%TransportRoles\Logs\Hub\Connectivity. Front End Transport service: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\Connectivity.

Continue Reading
How do I find out what Exchange Server my mailbox is on? ›

Finding the Microsoft Exchange Server in the Account Settings can be tricky. To start, open Outlook, click on the “File” tab, then select “Account Settings” twice. In this window, select the account you want to check. Click “Change,” and look for the “Server Information” section to see the server name.

View More
What does the audit log contain? ›

The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.

View Details
What should be logged in an audit trail? ›

In software, an audit trail documents each user's activity, including changes and approvals, timestamp of dates and times, IP addresses, and user logins. Record retention periods for audit trail logs will depend on government and industry regulations applicable to your business activities.

See More
What do audit logs track? ›

Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was.

Learn More
What data can you track using the login audit log? ›

Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action. Login Audit writes Data Access audit logs only.

Discover More Details
Top Articles
Indices 2024 outlook: Global commodities | Insights | Bloomberg Professional Services
K&K Insurance Pros & Cons: Top Experts Review
Dainty Rascal Io
Celebrity Extra
Tv Guide Bay Area No Cable
10 Popular Hair Growth Products Made With Dermatologist-Approved Ingredients to Shop at Amazon
Videos De Mexicanas Calientes
What Was D-Day Weegy
Paketshops | PAKET.net
Ohiohealth Esource Employee Login
LeBron James comes out on fire, scores first 16 points for Cavaliers in Game 2 vs. Pacers
Azeroth Pilot Reloaded - Addons - World of Warcraft
Culvers Tartar Sauce
Immediate Action Pathfinder
Superhot Unblocked Games
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Mzinchaleft
Tygodnik Polityka - Polityka.pl
Effingham Bookings Florence Sc
Mahpeople Com Login
How to Watch the Fifty Shades Trilogy and Rom-Coms
Dwc Qme Database
Great Clips Grandview Station Marion Reviews
Mtr-18W120S150-Ul
Haunted Mansion Showtimes Near Epic Theatres Of West Volusia
Rogue Lineage Uber Titles
Dei Ebill
1773x / >
Alternatieven - Acteamo - WebCatalog
Teenbeautyfitness
Deleted app while troubleshooting recent outage, can I get my devices back?
Xemu Vs Cxbx
Best Weapons For Psyker Darktide
KITCHENAID Tilt-Head Stand Mixer Set 4.8L (Blue) + Balmuda The Pot (White) 5KSM175PSEIC | 31.33% Off | Central Online
Viewfinder Mangabuddy
Bella Thorne Bikini Uncensored
Sabrina Scharf Net Worth
Hireright Applicant Center Login
3 bis 4 Saison-Schlafsack - hier online kaufen bei Outwell
Wilson Tire And Auto Service Gambrills Photos
Memberweb Bw
Tommy Bahama Restaurant Bar & Store The Woodlands Menu
Lyons Hr Prism Login
How the Color Pink Influences Mood and Emotions: A Psychological Perspective
Booknet.com Contract Marriage 2
Sacramentocraiglist
Lebron James Name Soundalikes
The Hardest Quests in Old School RuneScape (Ranked) – FandomSpot
Skyward Login Wylie Isd
Powah: Automating the Energizing Orb - EnigmaticaModpacks/Enigmatica6 GitHub Wiki
How to Find Mugshots: 11 Steps (with Pictures) - wikiHow
Att Corporate Store Location
Latest Posts
Financial Literacy For Gen Z: Why It Matters And How To Improve It
The credit card crisis is worse for millennials and Gen Zers
Article information

Author: Arline Emard IV

Last Updated:

Views: 6288

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Arline Emard IV

Birthday: 1996-07-10

Address: 8912 Hintz Shore, West Louie, AZ 69363-0747

Phone: +13454700762376

Job: Administration Technician

Hobby: Paintball, Horseback riding, Cycling, Running, Macrame, Playing musical instruments, Soapmaking

Introduction: My name is Arline Emard IV, I am a cheerful, gorgeous, colorful, joyous, excited, super, inquisitive person who loves writing and wants to share my knowledge and understanding with you.