An administrator wanted to log actions after a user complained that someone was messing with her messages - reading, moving, and deleting the messages.
This is possible in Office 365, using the audit log. When auditing is enabled in Office 365, you can see who read, deleted, moved or copied a message.
Auditing is not enabled by default. It needs to be enabled on specific mailboxes (or all mailboxes) by PowerShell to set the AuditEnabled parameter to true.
Set-Mailbox -Identity alias -AuditEnabled $true
When auditing is enabled, all actions by other users are logged but actions made by the mailbox owner are not logged. To log actions by the mailbox owner, you need to enable the supported actions. (Not all actions are supported for owners.)
This cmdlet will log access to folders, messages that were moved, either opened or viewed in the reading pane, or deleted from Deleted items or using Shift+Delete.
Set-Mailbox alias -AuditOwner FolderBind, Move, MessageBind, SoftDelete
The log is kept for 90 days; if you need to keep the logs for a longer (or shorter) period, set the AuditLogAgeLimit parameter.
To access the logs, log into the Office 365 portal and select Security & Compliance, Auditing and complete a search. The results will resemble this screenshot:
Below are the actions that can be audited. When auditing is enabled on a mailbox, the default actions are enabled.
|Copy||Message was copied to another folder.||Yes||No||No|
|Create||An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox.|
Message and folder creation isn't audited.
|FolderBind||A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.||Default||Yes||No|
|HardDelete||A message was purged from the Recoverable Items folder.||Default||Default||Yes|
|MailboxLogin||The user signed in to their mailbox.||No||No||Yes|
|MessageBind||A message was opened or viewed in the preview pane.||Yes||No||No|
|Move||Message was moved to another folder.||Default||Yes||Yes|
|MoveToDeletedItems||Message was deleted/moved to the Deleted Items folder.||Default||Yes||Yes|
|SendAs||Message sent using the SendAs permission.||Default||Default||No|
|SendOnBehalf||Message was sent using the SendOnBehalf permission.||Default||Yes||No|
|SoftDelete||Message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.||Default||Default||Yes|
|Update||Message or its properties was changed.||Default||Default||Yes|
For more information, see Enable mailbox auditing in Office 365