An administrator wanted to log actions after a user complained that someone was messing with her messages - reading, moving, and deleting the messages.
This is possible in Office 365, using the audit log. When auditing is enabled in Office 365, you can see who read, deleted, moved or copied a message.
Auditing is not enabled by default. It needs to be enabled on specific mailboxes (or all mailboxes) by PowerShell to set the AuditEnabled parameter to true.
Set-Mailbox -Identity alias -AuditEnabled $true
When auditing is enabled, all actions by other users are logged but actions made by the mailbox owner are not logged. To log actions by the mailbox owner, you need to enable the supported actions. (Not all actions are supported for owners.)
This cmdlet will log access to folders, messages that were moved, either opened or viewed in the reading pane, or deleted from Deleted items or using Shift+Delete.
Set-Mailbox alias -AuditOwner FolderBind, Move, MessageBind, SoftDelete
The log is kept for 90 days; if you need to keep the logs for a longer (or shorter) period, set the AuditLogAgeLimit parameter.
To access the logs, log into the Office 365 portal and select Security & Compliance, Auditing and complete a search. The results will resemble this screenshot:
Below are the actions that can be audited. When auditing is enabled on a mailbox, the default actions are enabled.
Action | Description | Admin | Delegate | Owner |
---|---|---|---|---|
Copy | Message was copied to another folder. | Yes | No | No |
Create | An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. Message and folder creation isn't audited. | Default | Default | Yes |
FolderBind | A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. | Default | Yes | No |
HardDelete | A message was purged from the Recoverable Items folder. | Default | Default | Yes |
MailboxLogin | The user signed in to their mailbox. | No | No | Yes |
MessageBind | A message was opened or viewed in the preview pane. | Yes | No | No |
Move | Message was moved to another folder. | Default | Yes | Yes |
MoveToDeletedItems | Message was deleted/moved to the Deleted Items folder. | Default | Yes | Yes |
SendAs | Message sent using the SendAs permission. | Default | Default | No |
SendOnBehalf | Message was sent using the SendOnBehalf permission. | Default | Yes | No |
SoftDelete | Message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder. | Default | Default | Yes |
Update | Message or its properties was changed. | Default | Default | Yes |
More Information
For more information, see Enable mailbox auditing in Office 365
We have a case where a service mailbox has many delegates and sub folders under the inbox keep getting deleted by someone. (None have the password, just delegates on it).
If someone figures out how to find this info; that would be sweeet. Heres some details if anyone else is curious:
When using the "Search-MailboxAuditLog ... -LogonTypes Delegate -ShowDetails ..." command it does not show actions for deleted sub folders. And worse; the items under that folder do not show up in the log either, but individual emails do show up if they delete items within the folder, but if the subfolder itself is deleted.. all items within and the folder have no log results. Grrrrrrrr.
These are the audit log items set for "AuditDelegate" on that mailbox:
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules