cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exchange Online Mailbox Auditing Enabled By Default
By
Brandon Koeller
Published Mar 06 2019 11:13 AM 27.3K Views
Brandon Koeller
Microsoft
‎Mar 06 2019 11:13 AM

Exchange Online Mailbox Auditing Enabled By Default

‎Mar 06 2019 11:13 AM

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

6 Comments
Vasil Michev
MVP
‎Mar 07 2019 11:31 AM
‎Mar 07 2019 11:31 AM

Which future events might that be? :)

0 Likes
Like
Brandon Koeller
Microsoft
‎Mar 07 2019 11:37 AM
‎Mar 07 2019 11:37 AM

Mail item reads is probably the most asked for event. Coming soon! Many others planned, however. Searches, attachment opens, link clicks, etc. Anything relevant to a breach. Thanks! BK

Vasil Michev
MVP
‎Mar 07 2019 10:52 PM
‎Mar 07 2019 10:52 PM

Awesome, was about time you folks pimped up the audit experience in Exchange. Will corner you next week on the summit for more info :)

0 Likes
Like
Jason E. Heiser
Iron Contributor
‎Mar 21 2019 10:27 AM
‎Mar 21 2019 10:27 AM

Glad to see this by default instead of having to enable it per mailbox. However, when I check the DefaultAuditSet for a mailbox I only get {Admin}. My understanding is that I should see Admin, Owner, and Delegate. How do I get all three audit sets back at the organization level?

0 Likes
Like
sslivoski
Copper Contributor
‎Mar 21 2019 06:39 PM
‎Mar 21 2019 06:39 PM

Set-Mailbox [username] -DefaultAuditSet Admin,Delegate,Owner

 

This will set all to default.

0 Likes
Like
RisteaM
Copper Contributor
‎Feb 03 2023 09:27 AM
‎Feb 03 2023 09:27 AM

How do I edit the default AuditOwner, AuditDelegate and AuditAdmin auditing actions. I would like to change the default audit actions for all mailboxes, not one at a time with Set-Mailbox -Identity "mailbox" -AuditOwner @{Add="ApplyRecord","UpdateComplianceTag"}, adding "ApplyRecord" and "UpdateComplianceTag". Same for AuditDelegate and AuditAdmin. Currently I only have Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create and I would like to have more information in the default.

Any help would be greatly appreciated!

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: