Enable or disable mailbox audit logging for a mailbox
Applies to: Exchange Server 2013
With mailbox audit logging, you can track logons to a mailbox as well as what actions are taken while the user is logged on. When you enable mailbox audit logging for a mailbox, some actions performed by administrators and delegates are logged by default. None of the actions performed by the mailbox owner are logged. To learn more about mailbox audit logging, see Mailbox audit logging.
Warning
Auditing of mailbox owner actions can generate a large number of mailbox audit log entries and is therefore disabled by default. We recommend that you only enable auditing of specific owner actions needed to meet business or security requirements.
For additional tasks related to mailbox audit logging, see Mailbox audit logging procedures.
What do you need to know before you begin?
Estimated time to complete: 1 minute.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance permissions topic.
You can't use the Exchange admin center (EAC) to enable or disable mailbox audit logging. You must use the Shell.
An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.
Mailboxes are considered to be accessed by an administrator only in the following scenarios:
In-Place eDiscovery is used to search a mailbox.
The New-MailboxExportRequest cmdlet is used to export a mailbox.
Microsoft Exchange Server MAPI Editor is used to access the mailbox.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Use the Shell to enable or disable mailbox audit logging
You can use the Shell to enable or disable mailbox audit logging for a mailbox. This enables or disables logging of all operations specified for administrator, delegates, and the mailbox owner.
This example enables mailbox audit logging for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true
This example disables mailbox audit logging for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditEnabled $false
For detailed syntax and parameter information, see Set-Mailbox.
Use the Shell to configure mailbox audit logging settings for administrator, delegate, and owner access
When mailbox audit logging is enabled for a mailbox, only the administrator, delegate, and owner actions specified in the audit logging configuration for the mailbox are logged.
This example specifies that the SendAs or SendOnBehalf actions performed by delegate users will be logged for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true
This example specifies that the MessageBind and FolderBind actions performed by administrators will be logged for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true
This example specifies that the HardDelete action performed by the mailbox owner will be logged for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete -AuditEnabled $true
For detailed syntax and parameter information, see Set-Mailbox.
How do you know this worked?
To verify that you have successfully enabled mailbox audit logging for a mailbox and specified the correct logging settings for administrator, delegate, or owner access, use the Get-Mailbox cmdlet to retrieve the mailbox audit logging settings for that mailbox.
This example retrieves Ben Smith's mailbox settings and pipes the specified audit settings, including the audit log age limit, to the Format-List cmdlet.
Get-Mailbox "Ben Smith" | Format-List *audit*