Home
Microsoft

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

In case you want to ensure record availability in both Exchange Mailbox and Unified Audit Log, you can do that by manually setting AuditEnabled flag to true, which will ensure that audit data from default enable is pushed to Unified Audit Log. 

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

5 Comments

Which future events might that be? :)

Microsoft

Mail item reads is probably the most asked for event. Coming soon! Many others planned, however. Searches, attachment opens, link clicks, etc. Anything relevant to a breach. Thanks! BK

Awesome, was about time you folks pimped up the audit experience in Exchange. Will corner you next week on the summit for more info :)

Occasional Contributor

Glad to see this by default instead of having to enable it per mailbox. However, when I check the DefaultAuditSet for a mailbox I only get {Admin}. My understanding is that I should see Admin, Owner, and Delegate. How do I get all three audit sets back at the organization level?

Regular Visitor

Set-Mailbox [username] -DefaultAuditSet Admin,Delegate,Owner

 

This will set all to default.