In many organizations the Exchange Server administrator will encounter a situation where there is a need to determine who took action on an item in a mailbox. This will most often be about actions taken by delegates of a person’s mailbox, or people who use a shared mailbox.

For example:

  • An email message from a customer was never responded to, and the manager of the customer service team wants to know which person in the team move or deleted the message from the shared mailbox
  • Information sent to an executive via email has leaked, and there is an investigation into which of the executive’s delegates read the email message

Note that in these situations it is assumed that delegates or a team of people already have full access to the mailbox, or read-only access to the mailbox. Based on that assumption the focus is now on which of those people took action on specific mail items.

Exchange Server 2013 can log access to mailboxes by the owner, delegates, and administrators, using a feature called mailbox audit logging.

How Mailbox Audit Logging Works

When mailbox audit logging is enabled for a mailbox, audit log entries are stored in the Recoverable Items folder of the mailbox, which is not visible to the mailbox user via Outlook or other client interfaces.

Log entries are written for actions taken by the mailbox owner, delegates, or by administrators, depending on the audit logging configuration applied to the mailbox. The mailbox audit log entries are then retained for a configurable period of time.

Mailbox audit logging has the following default configuration in Exchange Server 2013:

  • Mailbox audit logging is disabled
  • Audit log entries are retained for 90 days
  • No owner actions are logged
  • Some delegate and administrator actions are logged

A default mailbox audit logging configuration for an Exchange 2013 mailbox looks like this:

[PS] C:\>Get-Mailbox alan.reid | fl *audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

Note: The AuditAdmin settings refer to access via mechanisms such as eDiscovery searches, mailbox import/export operations, or tools such as MFCMAPI. If an administrator is granted permission to a mailbox and accesses it then those actions will be logged according to the AuditDelegate settings.

Enabling/Disabling Mailbox Audit Logging

For mailboxes in your organization that you wish to enable audit logging on you can do so using the Set-Mailbox cmdlet.

[PS] C:\>Set-Mailbox alan.reid -AuditEnabled $true

Typical candidates for mailbox audit logging are executives or VIPs who handle sensitive information, and who have delegates, or shared mailboxes used by teams of people.

In some organizations it may be preferable to enable mailbox audit logging for large numbers of mailbox users, or perhaps even all mailbox users. You can pipe the output of any Get-Mailbox query into Set-Mailbox to enable mailbox audit logging.

[PS] C:\>Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled:$true

If you need to ensure that mailbox audit logging is automatically enabled for all new mailboxes when they are created then you achieve that using the Scripting Agent.

For more information see:

Impact of Audit Logging on Mailbox Size

Mailbox audit log data is stored in a folder named Audits under the Recoverable Items folder of the mailbox, so it is hidden from the user. The default retention is 90 days, and some administrators may be concerned about the storage overhead for all of that audit logging data.

For more information on this see How Much Database Storage Does Mailbox Audit Logging Consume?

Searching Mailbox Audit Logs

In these further articles I will demonstrate some methods for searching and using the mailbox audit logging data.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Trevor Procyshen

    Can you recover mailbox audit logs when you restore a mailbox from a prior backup?

  2. Aleksandar

    Hi y’all
    Has anybody had an issue with Get-Mailbox command in the sense that AuditEnabled property is always set to true?
    Even when I add a filter for that property -eq $false, the resultset is correctly narrowed (contains the right number of records) but every record returned has AuditEnabled set to true.

  3. Sujithkumar Suriyamurthy

    Read through this blog and it is really very impressive discussions about Audit Ex13. I just would like to know whether we can enable Audit on Mail Enabled Public Folders? We have Exchange 2013 Server. Please advice

  4. ikenna ejiofor

    Hi Paul,

    How do we enable mailbox auditing on an organisational level? so i dont have to run powershell commands each time a new mailbox is created in exchange.

    1. Avatar photo
      Paul Cunningham

      Can’t, unfortunately. You need to make it part of your provisioning process, which hopefully you’ve automated.

  5. Melissa

    We have auditing enabled on a mailbox using these settings:
    AuditEnabled : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}
    However, when I search the logs, there’s only about 16 days worth and some entries seem to be missing. For instance, we’re trying to track down who deleted some emails. I see entries for a SoftDelete for the emails in question. But no entries for a Move or MoveToDeletedItems so I’m not sure how the emails got into the Deleted Items folder. Any suggestions?
    Thanks!

    1. Avatar photo
      Paul Cunningham

      I don’t know whether to expect it to log multiple events for a single action. A SoftDelete would be enough evidence for me. I wouldn’t expect to also see the other events for the same action.

  6. scott

    Is there any kind of folder level or non-admin/non-delegate user auditing? For example: If a user has their calendar default access set to reviewer, can we audit who accesses their calendar and what items?
    (yes I realize this article is forever old)

  7. Vladimir

    Hi,

    I have a question. How long does it take for Audits folder to be created. I have a situation where I need to audit persons mailbox but he is out of the office. I can see he is logged on to Exchange but after running the set-mailbox command his auditing is set to true but search yields no result. He also doesn’t have Audits folder. Can it be forced?

    1. Avatar photo
      Paul Cunningham

      The audit logging is a background process so it might take a little bit of time for the folder and search results to start appearing for you.

  8. Mohd Noorul

    Set-Mailbox -Identity …… -AuditEnabled $true: Successfull but setting not applied, please help

  9. Shishir Deshmukh

    Hi Paul,
    Greetings!

    First of all thanks for your noble work and online
    support…
    I am also in need of some audit logs realted to a specific mailbox.
    Before proceeding further I want to know about the basic difference between “AuditAdmin” & “AuditOwner”… in exchange 2013.

    Thanks in advance!

    Regards,
    Shishir Deshmukh

    1. Shishir Deshmukh

      Hi paul,

      Waiting for your response…

      Regards,
      Shishir Deshmukh

  10. Gui

    Hi Paul

    I have a question regarding the content of the logging. The action “Copy” can only be logged for Administrator. Microsoft definies thise action as ” An item is copied to another folder”. Does it means another folder only in outlook Mailbox oder another folder outside (= save on the harddrive ) ? Does Logging also works for ” save attachments”?
    thx in advance

    1. Avatar photo
      Paul Cunningham

      I don’t know. Like the comment above yours, I’d suggest you set up a test mailbox, run the scenario yourself, and see whether it works or not. Let us know how you go.

  11. Eduardo Carvalho

    Hello Paul, do you have any suggestions to get the following actions for Owner and Delegate:
    1- Edit a message (if I change a flag in the message or read a message does it generate an audit event in exchange 2010?)

    2- Copy a message

    3- Mark message as read and unread

    4- Set flags for message

    5- Open a folder

    6- Create and delete folder

    7- Move and Copy a Folder

    8- Open and add an attachment

    1. Avatar photo
      Paul Cunningham

      I would recommend you set up a test mailbox, turn up the audit logging for all events, and then perform those tasks and see if it logs events for them. That will give you the answers.

  12. JZ

    I have enabled mailbox audit logging on several mailboxes. I then access these mailboxes via OWA to generate log entries. However, when I go to get folder statistics for the audit folder it does not appear at all. I have verified that the account I am using is not set for audit bypass. What could be causing the audit folder to be missing?

    1. Avatar photo
      Paul Cunningham

      What type of auditing did you enable, and who are you using to access the mailboxes with OWA?

  13. Richard

    Is it common to find a HardDelete then Create operation when a delegate accepts a meeting request

    1. Avatar photo
      Paul Cunningham

      I imagine it is. When you accept an appointment the invite is deleted from your inbox, and a new item is added to your calendar.

  14. Scott

    Is the only logging that you can audit, those of delegates/admins/owners? What about just someone accessing/reading someone else’s calendar (ex user has reviewer perms only to calendar of another user) ?

  15. ToniSlow

    Hi Paul!

    We migrate our ex2010 to ex2013. At the ex2010 server i enabled the audit log to some mailboxes, and it work fine, i can see the auditlog via management shell, or via gui. After the migration i can see auditlog only the ex2010 server, if i try run a report at the ex2013 no data. I try this command (get-mailboxfolderstatistics -identity “name of the mailbox” | fl
    ) to check audit folder, and i found this folder at the auditenabled mailboxes , but no auditlog!
    Have you any ideas?

    Thanks in advance
    ToniSlow

    1. Avatar photo
      Paul Cunningham

      Are you running the audit log searches using the 2010 admin tools or the 2013 admin tools?

      1. ToniSlow

        I try search via Exchange Adminstrative Center and via exchange management shell at the exchnage 2013 server. Where i can find “admin tools”?

  16. Vlado

    Hi Paul,

    does it mean that the audit logs of different mailusers are located in different mailboxes.
    What if we need to have all logs on the same place for processing them in security monitoring system?
    Is there any possibility to set exchange for forwarding logs to one (central) logfile?

    Thanks in advance
    Vlado

    1. Avatar photo
      Paul Cunningham

      Audit logs are stored in each mailbox. There’s no configuration for centralizing them. If you need to centralize them you’ll need to run a regular script to collect the log info and write it to your central storage location.

  17. David Standish

    Thanks for the article. Curious if you know what the performance impact of enabling mailbox auditing is? We are thinking about turning it on when we move to Exchange 2013 for all mailboxes by default including owner actions and want to make sure we’ve sized for the overhead. I don’t see anything in the Server Role Requirements Calculator other than a spot to put in Additional I/O. Wondering what factor we should use.

  18. Arnold Mashoko

    Thanks Paul
    I have found your article very informative and helpful.

  19. Siddu

    Hi Paul,

    Thanks for reply.

    But after giving the same syntax i am getting the below error:

    A positional parameter cannot be found that accepts argument ‘-AuditEnabled’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

    Thanks in advance

      1. Siddu

        Tried with below two commands:

        Set-Mailbox -Identity (userid) -AuditEnabled $true

        Set-Mailbox -Identity (emailaddress) -AuditEnabled $true

        1. Avatar photo
          Paul Cunningham

          Try

          Get-Mailbox userid

          If that retrieves the mailbox successfully then try piping it to Set-Mailbox

          Get-Mailbox userid | Set-Mailbox -AuditEnabled:$true

          You can also use alias instead of userid.

          If that still isn’t working, then which version of Exchange are you running?

        2. Siddu

          Hi Paul,

          When using get-mailbox userid (Aliasname) i am able to retrieve the mailbox successfully.

          But when using with the pipe command getting the below error:

          Get-Mailbox (aliasname or userid) |Set-Mailbox -AuditEnabled:$true
          A positional parameter cannot be found that accepts argument ‘True’.
          + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
          + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

          Exchange: 2010
          Version: 14.3
          Build: 123.4
          Edition: Standard

        3. Avatar photo
          Paul Cunningham

          I’m starting to think this may be a permissions issue with your admin account not having the required Exchange permissions to manage this setting.

        4. Siddu

          Thanks for response. It was due to permission issue only i have now successfully enabled audit log. After enabling when i am trying to use this command i am getting the below error.

          Search-MailboxAuditLog -Identity “Help Desk” -LogonTypes Delegate -StartDate 1/14/2014 -EndDate 1/15/2014

          The term ‘Search-MailboxAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

          For this what are the permission need to be delegate for a user. Or do we need to install any package for this.

          Thanks in advance.

  20. Siddu

    Tried using this command but no luck
    Set-Mailbox xxxxx -Identity -AuditEnabled $true

    Getting Error:
    A positional parameter cannot be found that accepts argument ‘xxxxxxx’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

    Thanks

  21. Siddu

    Hi Paul,

    When i am trying to enable audit log in power shell getting below error.

    A positional parameter cannot be found that accepts argument ‘-AuditEnabled’.

    Exchange version: 14.3

    Please suggest how it can done.

    Thanks in advance.

Leave a Reply