Auditing in Microsoft Exchange 2019
Introduction: Auditing in Microsoft Exchange 2019 provides administrators with the capability to track and monitor various activities within the Exchange organization. This includes changes made by administrators as well as access to and modifications of individual mailboxes. Two primary auditing options are available: Administrator audit logging and Mailbox audit logging.
Administrator Audit Logging: Administrator audit logging enables the tracking of administrative changes within the Exchange organization. This includes who performed the action, what action was taken, and where the action occurred. By default, administrator audit logging is enabled and logs are stored in the Microsoft Exchange System Mailbox.
To disable administrator audit logging:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $False
To enable administrator audit logging:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
Customizing Administrator Audit Logging: Administrators can customize the logging settings to include or exclude specific cmdlets and parameters. For example, to limit logging to specific cmdlets:
Set-AdminAuditLogConfig –AdminAuditLogCmdlets “New-Mailbox”,”Remove-Mailbox”
To exclude certain cmdlets from logging:
Set-AdminAuditLogConfig -AdminAuditLogExcludedCmdlets "Set-Mailbox"
Additionally, specific parameters such as Name, Identity, Windows Email Address, and Email Address can be logged:
Set-AdminAuditLogConfig –AdminAuditLogParameters “Name”, “Identity”, “WindowsEmailAddress”, “EmailAddresses”
Mailbox Audit Logging: Mailbox audit logging allows tracking of access to and modifications of individual mailboxes. This is particularly useful for monitoring sensitive mailboxes. Audit logging for a specific mailbox can be enabled or disabled using EMS: To enable mailbox audit logging:
Set-Mailbox –Identity “MailboxName” –AuditEnabled $True
To disable mailbox audit logging:
Set-Mailbox –Identity “MailboxName” –AuditEnabled $False
Customizing Mailbox Audit Logging: Similar to administrator audit logging, mailbox audit logging can be customized based on the type of activity and the accessing account (Administrator, Delegate, or Owner). Specific activities can be included or excluded from logging based on cmdlets and parameters.
Conclusion: Auditing in Microsoft Exchange 2019 provides essential capabilities for tracking and monitoring administrative actions and mailbox access. By enabling and customizing audit logging, organizations can ensure security and compliance with regulatory requirements. Administrators should regularly review audit logs to identify and mitigate potential security risks.
Activity Types and Access Permissions in Mailbox Audit Logging
In mailbox audit logging, different types of activities are logged based on the access permissions of administrators, delegates, and owners. The following table outlines various activities and their corresponding permissions:
| Activity Type | Administrator | Delegate | Owner |
|----------------------------------------------------|---------------|----------|---------|
| Copying an Item to another folder | Yes | No | No |
| Creating an Item (excluding folder creation) | Yes | Yes | Yes |
| Accessing a folder | Yes | Yes | No |
| Permanent deletion of an Item (Hard Delete) | Yes | Yes | Yes |
| Accessing an Item | Yes | No | No |
| Moving an Item to another folder | Yes | Yes | Yes |
| Deleting an Item (Moved to Deleted Items folder) | Yes | Yes | Yes |
| Sending an email using Send As Permission | Yes | Yes | - |
| Sending an email using Send On Behalf Permission | Yes | Yes | - |
| Moving an Item from Deleted Items to Recoverable Items | Yes | Yes | Yes |
| Updating Item properties | Yes | Yes | Yes |
Note: "-" indicates that the action is not applicable to the Owner role.
These permissions dictate which actions are logged for each role in mailbox audit logging. By analyzing audit logs, administrators can track and monitor user activities to ensure compliance and security within the Exchange environment.
By default, mailbox auditing in Microsoft Exchange retains audit logs for up to 90 days. If you need to change this period (e.g., to 180 days) for a specific mailbox (e.g., "Info"), you can use the following cmdlet:
Set-Mailbox –Identity “Info” –AuditLogAgeLimit 180.00:00:00
Searching Mailbox Audit Logs: To access information recorded by mailbox audit logging:
Note on Running a Non-Owner Mailbox Access Report: The option "Run a non-owner mailbox access report" is used to create a report for cases where the login user is not the owner of the mailbox. If you need to create a report for cases where the login user is the owner, you must use Exchange Management Shell (EMS).
Note on External Users: If you select "External Users" after choosing the "Run a non-owner mailbox access report" option, it means an administrator in Exchange Online or Office 365.