Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  


As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 


As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  


Set-Mailbox [username] -DefaultAuditSet Owner 


Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  


Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 


AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 


AuditDelegate   : {Move} 


To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  


Find more information:


Which future events might that be? :)


Mail item reads is probably the most asked for event. Coming soon! Many others planned, however. Searches, attachment opens, link clicks, etc. Anything relevant to a breach. Thanks! BK

Awesome, was about time you folks pimped up the audit experience in Exchange. Will corner you next week on the summit for more info :)


Glad to see this by default instead of having to enable it per mailbox. However, when I check the DefaultAuditSet for a mailbox I only get {Admin}. My understanding is that I should see Admin, Owner, and Delegate. How do I get all three audit sets back at the organization level?

Senior Member

Set-Mailbox [username] -DefaultAuditSet Admin,Delegate,Owner


This will set all to default.