How to enable auditing in Exchange Online

Back to Blog
20Sep2018

How to enable auditing in Exchange Online

Microsoft 365 has a powerful Security & Compliance center that is becoming cooler every quarter that goes by. However, one rather important piece to understand is that auditing (logging of certain activities) is not turned on by default. They are in the process of updating this to be on by default, but for now it is still necessary to turn it on yourself. Find your way to the Security & Compliance center, and browse to Search & Investigation > Audit log search. Click Turn on auditing. If the link doesn’t exist, then your tenant most likely already has it enabled.

Update: Microsoft says mailbox auditing will be enabled by default in all tenants by the end of 2018.

You will notice that the informational banner at the top of this page will change to say that auditing will be available within “a couple of hours.” Note that it is also possible to turn this on using PowerShell in Exchange Online:

Enable-OrganizationCustomization
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

But guess what? There is still more to it than that.

Enable mailbox auditing in Exchange Online

By default, Exchange Online does not have mailbox auditing enabled (and performing the steps above will not turn it on for you, either). For organizations that have to meet certain compliance requirements, this is a problem. If you go Exchange admin center > compliance management > auditing for example, expecting to review some of the handy reports–you might find yourself asking: “Why are all my reports empty?

 

This looks handy: Run a non-owner mailbox access report…

There are no items to show in this view.

You: But my organization has lots of delegates and I know people are accessing each other’s mailboxes constantly… what gives?

If you want your reports to actually say something, you are going to have to enable mailbox auditing. Unfortunately, this cannot be accomplished in the GUI. Go get connected to Exchange Online using PowerShell. Once here, I like to run the Get-Mailbox cmdlet just to be sure I am in the right place (as a consultant I connect to a lot of tenancies in a given day). The first thing you need to do is turn mailbox auditing ON. You can (and probably should) do this for all your users in one fell swoop, like this:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Great! All done, right? Sorry, no–or at least, probably not.  There are three different types of users to consider when modifying audit settings: Owners, Delegates and Admins… and you may not like the audit actions that are selected by default for each of them. For example, by default, Exchange Online turns on almost nothing for auditing the actions taken by Owners. So in other words, if an owner does something–deletes an item for example–then it is not going to be logged by default. However, if that same person were to perform that same action on another user’s mailbox for whom they are a delegate, then it would be logged by default.

You can view what each  of the defaults are at present, by running these commands (just choose one identity in your own organization to see an example):

Get-Mailbox "User Name" | Select-Object -ExpandProperty AuditOwner
Get-Mailbox "User Name" | Select-Object -ExpandProperty AuditDelegate
Get-Mailbox "User Name" | Select-Object -ExpandProperty AuditAdmin

I want to add at least a few to the AuditOwner category: MailboxLogin seems important, as do the deletions.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete","MoveToDeletedItems"}

There we go, now these “Owner actions” will be logged: MailboxLogin, HardDelete, SoftDelete and MoveToDeletedItems. Review this table (copied from this source), in case you see any other adjustments you’d like to make:

That should about do it.

I have two additional caveats to share as regards the audit functionality in Microsoft 365 Security & Compliance Center.  First: it can take time (30 minutes for some events, 24 hours for others) before the activity will actually show up in the various reports (Source).  Second: Events are only retained for 90 days. If you need to be able to keep them for longer, then you will need to consider using a SIEM product that is compatible with Microsoft 365–one which can leverage its API for Management activity. This would allow you to pull data from 365 and retain it within your Security Information and Event Management software.

Technical , , , 4 Comments
Share:

Comments (4)

  • Soldges Reply

    Thanks for your great article.

    I have one question. Is it also possible to log/audit actions performend on public folders? For example I want to log when an folder or an email in a public folder has been moved or deleted.

    September 21, 2018 at 2:24 am
    • Alex Reply

      This might be the answer to your question…

      September 22, 2018 at 5:36 pm
  • Travis Phipps Reply

    Probably also a good idea to mention that you need to run this periodically to ensure any newly added mailboxes have your desired audit policies applied to them. Unfortunately there doesn’t appear to be a way to set a “default for new mailboxes” so this can be a one-and-done process.

    September 25, 2018 at 1:06 pm
    • Alex Reply

      So true, would love to see this feature added, so that the new user creation process can be simplified.

      September 25, 2018 at 7:55 pm

Leave a Reply

Back to Blog

Related Posts

18Jul

A Reader’s input for your consideration: Blocking unsupported devices with Conditional access

Consider the following scenario (from a reader who wished to remain anonymous): Let's say you have implemented my recommended baseline policies for Conditional access, which require Windows & Mac computers to become managed/compliant with Intune, and iOS & Android devices to use approved client applications. In... read more
12Mar

New OME Encryption Template, Criticism Revisited…

Spooky. Lately it's like Microsoft is following this blog or something. I have been working on a number of posts that I'm rather excited about. First, I had one of my biggest wishes come true, with the release of Files On-Demand for OneDrive (included in Fall... read more
14Jul

Remove SBS 2008 or SBS 2011 Source Server from the domain

Sorry Old Yeller--I know you were a faithful companion for many years--but it's time to put you down, buddy. I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating... read more
15Aug

Teams, SharePoint and OneDrive best practices? Part 3: Data governance

In part 1 of this series, we discussed external sharing and chat. In part 2, we dealt with access controls and notifications. Now, we turn our focus to Data governance, a very important conversation indeed when it comes to compliance. And when it comes to compliance,... read more
06Apr

Bug with Essentials Integration for Azure Site Recovery

Awhile back, I had written a series on all the neat integrations available with Windows Server Essentials (or Essentials Experience, if installing it on top of Standard as a role).  You may have noticed that I never published an article regarding one of the most... read more
26Jan

How to prepare for a HIPAA technical risk assessment or audit

I have had to help a number of smaller-sized health services clinics with this kind of thing recently, so I figured a place to collect notes on these experiences was in order. Hopefully others will find it valuable; just know that there is no such... read more
24Jun

A framework for implementing Device configuration profiles with Microsoft Intune

Last time we looked at the proper methodology for rolling out Device-based Conditional access in conjunction with Compliance policies. In that article, we observed that the workflow is very linear and logical, flowing from one step to the next, and ending in Conditional access, like... read more
22Nov

How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable... read more
11Mar

Super-charging security on non-Microsoft 365 E5 plans

This article was updated in April of 2020 Microsoft 365 E5 is the Cadillac of plans. Basically every product in the 365 universe is bundled into this level subscription, and that includes a ton related to security. Recently, Microsoft announced two new bundles aimed at security &... read more
26Oct

Tutorial: How to Setup Azure Virtual Network with Windows Server Essentials and a Hardware VPN Appliance

Most tutorials on Azure Virtual Network and site-to-site VPN rely on Windows Server's RRAS role to create a quick and dirty VPN connection for demonstration purposes. But in a real world production environment, this is hardly ever the case; the better option by far for... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me