Friday, November 9, 2018

See how to use Mailbox audit logs in #Office365

Introduction:

Auditing in Exchange Admin Center means troubleshooting the configuration issues by tracking specific changes made by administrators and to help you meet regulatory, compliance, and litigation requirements.
Exchange provides two types of audit logging:
  • Administrator audit logging.
  • Mailbox audit logging.
Note: You must enable mailbox audit logging for each mailbox so that audited events are saved to the audit log for that mailbox.
Enabling Mailbox Audit Logging - You need to use Remote PowerShell connected to your exchange, you can’t use EAC.
NOTE:- Audit Logs are also available in Office 365 Security & Compliance center. In this article, we will see how to audit mailbox from Exchange Online.

Connect to Exchange Online using PowerShell:

  1. Open Windows PowerShell and run command.
    $UserCredential = Get-Credential
  2. In Windows PowerShell credential request, enter your Office 365 global admin account username and password.PowerShell login
  3. Run the following command.
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  4. Run the following command.
    Import-PSSession $Session
  5. To verify that you’re connected to your Exchange Online organization, run the following command to get a list of all the mailboxes in your organization.
    Get-Mailbox
    Get Mailbox
  6. This command enables mailbox audit logging for all user mailboxes in your organization.
    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
    Enabled mailbox
  7. You can see in above image AuditEnable is showing True, means mailbox audit logging has been enabled for the mailboxes.

Run a non-owner mailbox access report:



  • In the EAC, go to Compliance ManagementAuditing.
  • Click Run a non-owner mailbox access report.
    Auditing
  • Click Run a non-owner mailbox access report, you can specify dates and select mailbox for whom you want to view edit log.

  • Mailbox access report
    Run the admin audit log report – Administrator auditing logging is enabled by default.
    1. In the EAC, go to Compliance Management > Auditing and choose Run the admin audit log report.
      Admin audit log
    2. Choose a Start date and End date. And then choose Search. All configuration changes made during the specified time are displayed.
      Audit log report
    Similarly, you can run an audit report for In-Place eDiscovery & hold, Litigation hold report, administrator role group report & external admin audit log report.
    Also, you can export the log report for Mailbox and the admin.
    Exporting the admin audit log report
    1. In the EAC, go to Compliance Management > Auditing > Export the admin audit log.
      Export the admin audit log
    2. Mention Start date and End date and select the User  whom you want to send the audit log. Click OK and Export.
      Send audit log
    3. Audit log entries are saved to an XML file that is attached to a message and sent to the specified recipients within 24 hours.

    Conclusion:

    You can enable mailbox audit logging, generating reports and audit logs in Exchange Online using Exchange Admin Center.

    No comments:

    Post a Comment

    Can't verify domain in Office 365? Lets try this step.

    Domain verification in Office 365 is a very simple task, you just need to add a custom domain, add the TXT or MX record by provided by your...