Enable Mailbox Auditing In Office 365 Through PowerShell Commands
Microsoft enables administrators to audit all the Exchange Online mailboxes in O365 for Business tenants. Log auditing is permitted for the users and, the shared mailbox is an essential part of reducing the Cyber attacks. This auditing feature will provide full coverage over mailboxes in all tenants till the end of 2018. Once this is completely enabled, Exchange will be on top of the world with SharePoint Online. This guide is going to help readers in learning about the systematic procedure to enable mailbox auditing in Office 365 via PowerShell.
Procedure to Enable Office 365 Mailbox Auditing
The procedure includes three major steps to use auditing in O365 tenants and they are listed below:
- Establish a connection with Exchange Online PowerShell
- Activate the mailbox audit logging feature
- Describe the owner actions for auditing
Following is the detailed description of these 3 major steps, permitting users to know what exactly you need to perform for executing these steps.
Step 1: Establish Connection with Exchange Online PowerShell
1. Open Microsoft Windows PowerShell application on your system and run the following command:
$UserCredential = Get-Credential
2. This opens a request dialog box where you have to type username and password of the Office 365 global administrator account. After filling the credentials, click on OK button
3. Execute the following command on PowerShell screen to proceed with enabling mailbox auditing in Office 365 using PowerShell:
4. Now its time to run Import-PSSession $Session on the same PowerShell screen.
5. Check whether you are connected with Exchange Online or not, by running Get-Mailbox command
Step 2: Activate The Mailbox Audit Logging Feature
When you are completely done with the connection process, enable Exchange Online mailbox auditing. Also, you can activate mailbox auditing for entire mailboxes present within your enterprise. Following command enable mailbox logging for a single mailbox named as Kelly Cohen:
In case, you want to enable several mailboxes of your organization for the audit logging then, use the following cmdlet:
Step 3: Describe The Owner Actions For Auditing
By default, only one action i.e., UpdateFolderPermissions is carried out by the main owner (administrator) of the mailbox when it is auditing in Exchange Online is enabled. It is the admin duty to define the other owner actions for audit logging. One can have a look at the Mailbox actions section’s table to learn about owner actions, which could be audited. Following command appends MailboxLogin and HardDelete owner actions to the mailbox auditing for Kelly Cohen’s mailbox. We are assuming that mailbox auditing has been enabled for this respective mailbox.
Suppose, you only want to enable audit logging in Andrew’s mailbox and wishes to only add MailboxLogin action to be carried out then, use the following command:
Following example appends HardDelete, MailboxLogin, and SoftDelete owner action to all mailboxes of an enterprise simultaneously. We assume that you are already done with enabling of audit logging in all mailboxes.
Conclusion
Once all 3 major steps to enable mailbox auditing in Office 365 via Powershell is completed, you can use the Get-Mailbox command. This will aware administrators whether auditing settings for one or all mailboxes are enabled or not. For example – run following command to recover audit logging settings of Kelly Cohen mailbox.
Also, you can learn for audit settings of all mailboxes in a firm by using the below mentioned command.
If you find that the value of the AuditEnabled property is True, it means that you are successfully done with enabling Exchange online mailbox auditing.
