In many organizations across the world, Office 365 (Exchange Online) has replaced on-premise and hosted Exchange Servers as the backbone of communication. Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Office 365, enabling mailbox auditing is very important. Even though the process is complex, this guide should help enable Office 365 auditing natively via Windows PowerShell. If the process proves to be too challenging or trying, we’ve also introduced LepideAuditor – an easy way to audit Exchange Online so that you can see the difference.

Native Auditing of Exchange Online (Office 365)

It is a three-step process to enable auditing for Exchange Online (Office 365).

Step 1: Connect to Exchange Online using Windows PowerShell

Launch Windows PowerShell on your computer as an administrator, and run the following command to connect to Exchange Online (Office 365)

$UserCredential = Get-Credential

The dialog box requesting for credentials of Office 365 appears on the screen. Enter username and password of a Global Admin Account of Office 365, and click OK.

Figure 1: Windows PowerShell Credential Request Window

Execute the following command

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection

Figure 2: Windows PowerShell Command

Next, execute the following command

Import-PSSession $Session

Execute the following command to confirm that you have connected to Exchange Online organization, and to get a list of all the mailboxes in your organization.

Get-Mailbox

Figure 3: List of all Office 365 mailboxes
Step 2: Enable Office 365 user mailbox auditing

After you have connected to your Exchange Online, the next step is to enable mailbox audit logging for a particular mailbox, or for all the mailboxes in your organization.

This example enables mailbox audit logging for user Lahuara1’s mailbox.

Set-Mailbox -Identity "Lahuara1" -AuditEnabled $true

Use the following command to enable mailbox audit logging for all the user mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Step 3: Confirm whether the audit has been enabled or not

To confirm whether you have successfully enabled the audit or not, you have to run the “Get-Mailbox” command. AuditEnabled property’s “True” value confirms that you have successfully enabled mailbox audit logging.

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin

Figure 4: Office 365 mailboxes with audit enabled

Issue with Native Auditing

Sometimes users can find it difficult to enable auditing for Exchange Online mailboxes via PowerShell, especially when encountered with an error that needs to be overcome. Pre-defined reports are also not available in the native auditing method, which can make it difficult to focus on a particular object or operation. You do not have dedicated reports that can be generated in real-time to track permissions, role, mail contact, groups, public folders, remote domain and unified messaging.

So, what are your options?

Using LepideAuditor to audit Office 365 mailboxes

Going through the simple installation of LepideAuditor and adding the listing of Exchange Online is all you need to do to start auditing.

LepideAuditor for Office 365 provides you a complete visibility of what is happening in your Exchange Online environment. With more than 35 pre-defined reports, you can track all changes made to particular objects and create a long audit trail. These reports can be customized using advanced filtration, search, sorting, grouping by and other functions and can be saved as CSV, PDF, or MHT files on the disk.

You can apply real-time or threshold-based alerts that can be sent as emails to recipients, updates to LiveFeed reports at the console’s Radar Tab and as push-notifications to LepideAuditor App. You can schedule the delivery of audit reports to be sent through email or by saving as files on the shared locations.

Following is a screenshot of “All Modifications in Exchange Online” report.

Figure 5: LepideAuditor’s All modifications in Exchange Online report

LepideAuditor makes auditing easier and faster. You can download the free trial to see for yourself.


Download Lepide Office 365 Auditor

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.