In many organizations across the world, Office 365 (Exchange Online) has replaced on-premise and hosted Exchange Servers as the backbone of communication. Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Office 365, enabling mailbox auditing is very important. Even though the process is complex, this guide should help enable Office 365 auditing natively via Windows PowerShell. If the process proves to be too challenging or trying, we’ve also introduced Lepide Exchange Online Auditor – an easy way to audit Exchange Online so that you can see the difference.
Steps to Enable Mailbox Auditing for Exchange Online (Office 365)
It is a three-step process to enable auditing:
Step 1- Connect to Exchange Online using Windows PowerShell
Launch Windows PowerShell on your computer as an administrator, and run the following command to connect to Exchange Online (Office 365)
$UserCredential = Get-Credential
The dialog box requesting for credentials of Office 365 appears on the screen. Enter username and password of a Global Admin Account of Office 365, and click OK.
Execute the following command
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection
Next, execute the following command
Import-PSSession $Session
Execute the following command to confirm that you have connected to Exchange Online organization, and to get a list of all the mailboxes in your organization.
Get-Mailbox
Step 2 – Enable Office 365 User Mailbox Auditing
After you have connected to your Exchange Online, the next step is to enable mailbox audit logging for a particular mailbox, or for all the mailboxes in your organization.
This example enables mailbox audit logging for user Lahuara1’s mailbox.
Set-Mailbox -Identity "Lahuara1" -AuditEnabled $true
Use the following command to enable mailbox audit logging for all the user mailboxes in your organization.
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Step 3- Confirm Whether the Audit Has been Enabled or Not
To confirm whether you have successfully enabled the audit or not, you have to run the “Get-Mailbox” command. AuditEnabled property’s “True” value confirms that you have successfully enabled mailbox audit logging.
Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin
Issue with Native Auditing
Sometimes users can find it difficult to enable auditing for Exchange Online mailboxes via PowerShell, especially when encountered with an error that needs to be overcome. Pre-defined reports are also not available in the native auditing method, which can make it difficult to focus on a particular object or operation. You do not have dedicated reports that can be generated in real-time to track permissions, role, mail contact, groups, public folders, remote domain and unified messaging.
So, what are your options?
Using Lepide Exchange Online (Office 365) Auditor to Audit Mailbox Access and Changes
Lepide Exchange Online Auditor (part of Lepide Data Security Platform) provides you a complete visibility of what is happening in your Exchange Online environment. With more than 35 pre-defined reports, you can track all changes made to particular objects and create a long audit trail. These reports can be customized using advanced filtration, search, sorting, grouping by and other functions and can be saved as CSV, PDF, or MHT files on the disk.
You can apply real-time or threshold-based alerts that can be sent as emails to recipients, updates to LiveFeed reports at the console’s Radar Tab and as push-notifications to Lepide Mobile App. You can schedule the delivery of audit reports to be sent through email or by saving as files on the shared locations.
Following is a screenshot of “All Modifications in Exchange Online” report.
Lepide’s Exchange Online auditing solution makes auditing easier and faster.