How to Enable Mailbox Auditing in Office 365 (Exchange Online)

Download Lepide Office 365 Auditor
Or Deploy With Our Virtual Appliance
In This Article

In many organizations across the world, Office 365 (Exchange Online) has replaced on-premise and hosted Exchange Servers as the backbone of communication. Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Office 365, enabling mailbox auditing is very important. Even though the process is complex, this guide should help enable Office 365 auditing natively via Windows PowerShell. If the process proves to be too challenging or trying, we’ve also introduced Lepide Exchange Online Auditor – an easy way to audit Exchange Online so that you can see the difference.

Steps to Enable Mailbox Auditing for Exchange Online (Office 365)

It is a three-step process to enable auditing:

Step 1- Connect to Exchange Online using Windows PowerShell

Launch Windows PowerShell on your computer as an administrator, and run the following command to connect to Exchange Online (Office 365)

$UserCredential = Get-Credential

The dialog box requesting for credentials of Office 365 appears on the screen. Enter username and password of a Global Admin Account of Office 365, and click OK.

Windows PowerShell Credential Request Window
Figure 1: Windows PowerShell Credential Request Window

Execute the following command

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri -Credential $UserCredential –Authentication Basic –AllowRedirection
Windows PowerShell Command
Figure 2: Windows PowerShell Command

Next, execute the following command

Import-PSSession $Session

Execute the following command to confirm that you have connected to Exchange Online organization, and to get a list of all the mailboxes in your organization.

List of all Office 365 mailboxes
Figure 3: List of all Office 365 mailboxes

Step 2 – Enable Office 365 User Mailbox Auditing

After you have connected to your Exchange Online, the next step is to enable mailbox audit logging for a particular mailbox, or for all the mailboxes in your organization.

This example enables mailbox audit logging for user Lahuara1’s mailbox.

Set-Mailbox -Identity "Lahuara1" -AuditEnabled $true

Use the following command to enable mailbox audit logging for all the user mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Step 3- Confirm Whether the Audit Has been Enabled or Not

To confirm whether you have successfully enabled the audit or not, you have to run the “Get-Mailbox” command. AuditEnabled property’s “True” value confirms that you have successfully enabled mailbox audit logging.

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin
Office 365 mailboxes with audit enabled
Figure 4: Office 365 mailboxes with audit enabled

Issue with Native Auditing

Sometimes users can find it difficult to enable auditing for Exchange Online mailboxes via PowerShell, especially when encountered with an error that needs to be overcome. Pre-defined reports are also not available in the native auditing method, which can make it difficult to focus on a particular object or operation. You do not have dedicated reports that can be generated in real-time to track permissions, role, mail contact, groups, public folders, remote domain and unified messaging.

So, what are your options?

Using Lepide Exchange Online (Office 365) Auditor to Audit Mailbox Access and Changes

Lepide Exchange Online Auditor (part of Lepide Data Security Platform) provides you a complete visibility of what is happening in your Exchange Online environment. With more than 35 pre-defined reports, you can track all changes made to particular objects and create a long audit trail. These reports can be customized using advanced filtration, search, sorting, grouping by and other functions and can be saved as CSV, PDF, or MHT files on the disk.

You can apply real-time or threshold-based alerts that can be sent as emails to recipients, updates to LiveFeed reports at the console’s Radar Tab and as push-notifications to Lepide Mobile App. You can schedule the delivery of audit reports to be sent through email or by saving as files on the shared locations.

Following is a screenshot of “All Modifications in Exchange Online” report.

All Modifications in Exchange Online report
Figure 5: All modifications in Exchange Online report

Lepide’s Exchange Online auditing solution makes auditing easier and faster. You can download the free trial to see for yourself.

Download Lepide Office 365 Auditor

Or Deploy With Our Virtual Appliance