You need to turn on auditing and check logs often to see who opens mailboxes in Exchange. Audit Mailbox Access to keep important data safe and follow rules. Watching mailbox activity helps you find people who should not be there and act fast if there is a problem. Use built-in tools to look at access events and keep your group safe. Always check for changes in permissions, because these can bring new dangers.

Key Takeaways

• Use PowerShell to turn on mailbox auditing for all mailboxes. This helps you see who opens your Exchange mailboxes. It also helps keep important data safe.

• Check audit logs and permission changes often. This helps you find strange activity early. It can stop security problems before they get worse.

• Use tools like the Microsoft 365 Compliance Portal and Exchange Admin Center. These tools help you look at audit logs. You can also set up alerts for odd actions.

• Keep audit logs for the right amount of time. This depends on your license and what rules you must follow. It helps with investigations and following the law.

• Be careful when giving mailbox permissions. Only let people who need it have access. Turn on multi-factor authentication to make things safer.

Why Audit Mailbox Access

Security Risks

If you do not track who opens mailboxes in Exchange, you face many dangers. Attackers want to steal important data or break into your systems. If you do not watch mailbox activity, you could miss warning signs. Here are some risks you should know about:

• Someone might get in from a strange or bad IP address, maybe from a country where your users do not work.

• Attackers can get around multi-factor authentication if your settings are weak or old.

• Hidden inbox rules can be made to delete or send emails without you knowing.

• Attackers can use mailbox synchronization to quickly steal all mailbox data.

• Strange login patterns or user agents can mean someone stole a password.

• Sensitive files, like financial records, can be sent to outside websites.

You should check mailbox owner access logs often. This helps you find odd activity and act before something bad happens. Watching login events and mailbox changes can stop bad people from getting deeper into your network. Many attacks start with just one mailbox being hacked. Phishing and business email compromise attacks have more than doubled in the last year. Social engineering is now used in almost every cyberattack.

Tip: Delete mailboxes that are not used anymore. This makes it harder for attackers and helps you follow privacy laws like GDPR.

Compliance Needs

You also need to audit mailbox access to follow laws and rules. Many rules say you must track who looks at sensitive data. If you cannot show this, you could get fined or have legal problems. For example, GDPR and HIPAA both need strong controls for personal and health data. Regular audits help you prove you follow the rules and protect your group’s good name.

You need to keep records of who accessed mailboxes, changed permissions, or moved data. Auditing these actions helps you answer questions if there is an investigation or audit. When you know who did what and when, you can act fast if something goes wrong and avoid big fines.

Enable Auditing

Turning on auditing is the first thing you should do to see who opens mailboxes in Exchange. You must set up auditing for mailboxes that are new and ones you already have. This helps you follow rules and spot problems early. You can use the Exchange Admin Center or PowerShell to turn on auditing. Which one you use depends on your setup.

Exchange Admin Center

The Exchange Admin Center (EAC) lets you look at and search mailbox audit logs. But you cannot turn on auditing from the EAC in Exchange Server. In Exchange Online, you can start tracking what users and admins do in the Microsoft 365 Security & Compliance Center. Here is how you use the EAC and Compliance Center for mailbox auditing:

1. Log in to the Microsoft 365 Security & Compliance Center.

2. Click Audit under the Solutions section.

3. If you see a message, pick Start recording user and admin activity.

4. After you turn on auditing with PowerShell, use the search tools to look at mailbox audit logs.

Note: You must use PowerShell to turn on mailbox auditing in both Exchange Server and Exchange Online. The EAC only lets you search and look at logs, not turn on auditing.

PowerShell Methods

PowerShell gives you full control to turn on auditing for one mailbox or all mailboxes. You can also make it automatic for new mailboxes. Here are the steps to turn on auditing in Exchange Online and Exchange Server:

Exchange Online

1. Open Windows PowerShell and connect to Exchange Online.

2. To turn on auditing for one mailbox:

Set-Mailbox -Identity "user@domain.com" -AuditEnabled $true

1. To turn on auditing for all mailboxes:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -AuditEnabled $true

1. To turn on auditing for your whole group by default:

Set-OrganizationConfig -AuditDisabled $false

1. Wait up to 24 hours for audit logs to show up.

Exchange Server (On-Premises)

1. Open Exchange Management Shell.

2. To turn on auditing for one mailbox:

Set-Mailbox -Identity "username" -AuditEnabled $true

1. To turn on auditing for all user mailboxes:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -AuditEnabled $true

1. You cannot turn on auditing from the EAC in Exchange Server. Always use PowerShell.

Tip: You can make auditing automatic for new mailboxes by using the Exchange Scripting Agent. Add a script to your ScriptingAgentConfig.xml file that runs Set-Mailbox with -AuditEnabled $true after each new mailbox is made. If you use scripts to create mailboxes, add the Set-Mailbox command there to make sure every new mailbox has auditing turned on.

Verify Audit Status

After you turn on auditing, you should check that it works. You can use PowerShell and the EAC to check audit status.

• In PowerShell, run:

Get-Mailbox "user@domain.com" | fl *audit*

• Look for AuditEnabled : True in the results. This means auditing is working for that mailbox.

• To see all mailboxes with auditing turned on in Exchange Server:

(Get-Mailbox -ResultSize unlimited -Filter {AuditEnabled -eq "True"}).alias

• In Exchange Online, use:

$mbx=(Get-Mailbox -ResultSize unlimited | ? {$_.AuditEnabled -eq "True"}).alias

• In the EAC, go to Compliance Management and pick Auditing. You can search mailbox audit logs here, but you cannot turn on auditing from this screen.

Note: Always check the AuditLogAgeLimit setting to see how long audit logs stay. Change this setting to fit your rules.

Turning on auditing for all mailboxes, even new ones, makes sure you can Audit Mailbox Access everywhere in your group. This step is important for both safety and following rules.

Review Audit Logs

Tracking mailbox activity helps if you know how to read audit logs. You should check these logs often to find strange actions and follow rules. Exchange gives you different ways to see and understand mailbox audit logs. Each way has good points and some limits.

Compliance Portal

The Microsoft 365 Compliance Portal lets you search and look at mailbox audit logs. This portal is one place to check mailbox activity for your whole group. Here is how you can use the Compliance Portal to check audit logs:

1. Log in to the Microsoft 365 Security & Compliance Center with your admin account.

2. Go to Search & Investigation and pick Audit log search.

3. Pick the mailbox activities you want to see, like sign-ins or deleted emails.

4. Run the search to see audit events after you turned on auditing.

5. If you want alerts for some mailbox actions, set up alert policies in the portal.

You must turn on mailbox auditing before you see any results. Use PowerShell to turn on auditing for each mailbox or all mailboxes at once. The Compliance Portal also lets you export search results to look at them more closely.

Tip: For deeper checks, use the built-in PowerShell script Run-MailboxAuditLogSearcher.ps1 to filter and export audit log data.

Exchange Admin Center Logs

The Exchange Admin Center (EAC) helps you see and report on mailbox audit logs, mostly for non-owner access. You can run reports to see what delegates or admins did, like deleting emails or opening folders. The EAC does not show every mailbox action, but it shows important events.

Here are some mailbox access events you can find in the EAC:

Mailbox audit logs in the EAC focus on what delegates and admins do. You can run non-owner mailbox access reports to see these actions. The logs are kept in the Recoverable Items folder, and you can also use PowerShell to search them.

Note: Some actions, like reading emails by delegates, may not show up in the EAC. For more details, use PowerShell or the Compliance Portal.

PowerShell Log Search

PowerShell gives you strong tools to search and filter mailbox audit logs. The main cmdlet you use is Search-MailboxAuditLog. This cmdlet lets you search by mailbox, date, logon type, and actions.

Here is how to search audit logs with PowerShell:

1. Connect to Exchange Online PowerShell with your admin account.

2. Make sure mailbox audit logging is on for the mailboxes you want to search.

3. Use the Search-MailboxAuditLog cmdlet with things like Identity, LogonTypes, StartDate, and EndDate to find the events you need.

4. Filter results more with PowerShell commands like Where-Object to focus on actions like "HardDelete".

5. For big searches or results by email, use the New-MailboxAuditLogSearch cmdlet.

You can also use things like ShowDetails for more info, or HasAttachments to find entries with attachments. Make sure you have the right permissions to run these commands.

Tip: In multi-geo setups, connect to the right place to avoid errors when searching logs.

Log Entry Details

When you look at mailbox audit logs, you see records of mailbox actions. Each log entry shows what happened, who did it, and what kind of user did it. Here is what you can find in a normal audit log entry:

These details help you know who got into a mailbox, what they did, and when. You can use this to Audit Mailbox Access and act if you see something odd.

Note: Some special events, like MailItemsAccessed, need extra licenses such as Office 365 E5 or Microsoft 365 E5 Compliance add-ons.

Limitations of Exchange Audit Logs

Audit logs give you good info, but they have some limits:

• Exchange audit logs only record successful mailbox access events. Failed tries are not logged.

• Logon tries are not audited. Only real data access is recorded.

• Trusted service accounts can be left out of auditing, which may leave gaps in your records.

• Audit events are kept in a special Exchange Auditing log, not in the security log.

These limits mean you may not see every action or try. Always check your audit settings and think about these gaps when planning your security and compliance plan.

Monitor Permission Changes

Permission Change Alerts

It is important to watch for mailbox permission changes. Attackers may try to give themselves more access. You need to find these changes fast. Setting up alerts helps you act quickly.

1. Use the Microsoft 365 Purview Portal to check audit logs for permission changes. Filter for actions like Add-MailboxPermission or Remove-MailboxPermission.

2. Connect to Exchange Online with PowerShell. Run commands to look for permission change events in the unified audit logs.

3. Make PowerShell scripts that send email alerts when mailbox permissions change. These scripts can collect details and tell mailbox owners or admins.

4. Set up alert policies in the Microsoft 365 Security & Compliance Center. These policies send notifications right away when mailbox permissions change.

5. Try third-party tools like AdminDroid or Exchange Reporter Plus. These tools give real-time alerts and reports about mailbox permission changes.

Tip: Check permission changes often. Watching all the time helps you stop bad changes before they cause problems.

Reporting Tools

You need good reporting tools to track mailbox permission changes. Built-in tools like PowerShell and the Compliance Center work, but they can be slow and hard for big groups. Third-party tools make this easier.

• AdminDroid gives you over 170 reports about mailbox permissions. You can export reports as CSV, HTML, or PDF. The tool lets you schedule reports and see data in charts and maps.

• Exchange Reporter Plus tracks all permission changes, like Full Access and Send-As. It shows who made each change and what was changed. You can get alerts, export reports, and keep audit data for later.

• Both tools help you watch mailbox permissions all the time and follow IT rules. They make it easier to Audit Mailbox Access and keep your group safe.

Note: Automated reports and alerts help you act fast if there is a threat. Use these tools to stay safe and protect your mailboxes.

Audit Mailbox Access

Set Up Alerts

You can make alerts that tell you right away if something strange happens in a mailbox. Use the Microsoft 365 Compliance Center or Defender portal to set up alert rules. These rules let you choose what actions will send an alert, like changes to mailbox permissions or logins that look odd. When someone does something that matches your alert, Microsoft 365 sends a message to the people you picked. You can look at and handle these alerts in the portal. This helps you act fast if there is a problem and keeps mailboxes safe. Some security tools, like Elastic Security, have rules already made that check for risky permission changes every few minutes. If you find something that looks wrong, check the details, take away bad permissions, change passwords, and tell users right away.

Tip: Always watch mailbox forwarding rules. Attackers use these to send emails outside your group.

Export Reports

Exporting audit reports lets you keep records and look at mailbox access over time. First, turn on mailbox auditing with PowerShell using the Set-Mailbox command. After auditing is on, you can use the Exchange Online Admin Center to search audit logs. You can filter by action, date, or user, then export the results as a CSV file to look at later. PowerShell scripts also help you get more details about mailbox access, like who has Full Access or Send As permissions. Save these reports for checks or if you need to look into something. Third-party tools can help you export and save reports, especially if you need to keep logs longer than normal.

Note: Audit logs only show events after you turn on auditing. Turn on auditing early so you do not miss anything.

Third-Party Solutions

You might need better tools to Audit Mailbox Access, especially if your group is big or has strict rules. Third-party tools like AdminDroid and Syskit Point have easy dashboards, real-time alerts, and keep logs longer. These tools help you track mailbox access, permission changes, and strange actions with less work. Many also work with SIEM or XDR platforms for deeper checks and better threat finding. With these tools, you can keep audit data longer, make your own reports, and follow rules more easily.

Callout: Keep audit logs for at least 90 days, or up to one year if you have E5 licenses. Keeping logs longer helps with checks and audits.

Best Practices

Log Retention

You must keep mailbox audit logs for the right time. This helps you follow compliance rules. The default time depends on your license.

• If you have an Office 365 or Microsoft 365 E5 license, logs stay for one year.

• If you do not have E5 or use guest accounts, logs stay for 180 days.

• You can set your own retention rules from 7 days to 10 years if you have special add-ons.

• Custom rules always replace the default ones.

• To keep logs longer than 180 days, you need E5 licenses or a 10-year add-on.

Tip: Check your retention settings often. Make sure they fit your company’s compliance needs.

Permissions Management

You can lower the chance of someone getting into mailboxes without permission by managing permissions well.

• Only give mailbox permissions to people who need them. Check these permissions often.

• Use role-based access control (RBAC) so access matches job roles.

• Turn on multi-factor authentication (MFA) for everyone who uses mailboxes.

• Block direct sign-in for shared mailboxes with Azure AD Conditional Access.

• Watch and check mailbox access and permission changes using activity logs.

• Protect mailbox data with encryption and Data Loss Prevention (DLP) policies.

• Compare permissions often to find changes you did not allow.

• Keep track of all permission changes for audits and change management.

Note: Look into any permission changes that seem odd. Acting fast can stop data breaches.

Auditing Checklist

A good checklist helps you keep Exchange safe.

1. Find mailboxes with audit bypass turned on and turn it off if needed.

2. Make sure all mailbox activities are recorded by checking the DefaultAuditSet property.

3. Check that new mailbox activities are tracked, especially if you set up auditing before 2019.

4. Turn on auditing for resource and public folder mailboxes, since these are not tracked by default.

5. Make sure mailbox audit logs are in the unified audit log, even for users without E5 licenses.

Callout: Use PowerShell scripts to check and fix audit settings. Regular checks help you find problems before they get worse.

You help keep Exchange safe by turning on mailbox audit logging for everyone. Check the logs often and watch for permission changes. Use PowerShell and the Exchange Control Panel to handle audit logs. Try using built-in tools and third-party apps together. This gives you alerts right away, makes reports easier, and helps you follow the rules.

Tip: Look at your audit settings often. Change them if new rules come out.

FAQ

How do you know if mailbox auditing is enabled?

You can use PowerShell to check. Run this command:

Get-Mailbox "user@domain.com" | fl *audit*

If you see AuditEnabled : True, auditing is turned on for that mailbox.

Can you track who read a specific email?

You cannot tell who read one email. Exchange logs show when someone opens folders or messages. But they do not show every single email that was read. You can look for actions like "MessageBind" or "FolderBind" to see when someone accessed a folder or message.

How long does Exchange keep audit logs?

Exchange keeps audit logs for 90 days by default. If you have an E5 license, logs stay for one year. You can set a longer time if your company needs it.

What should you do if you find unauthorized mailbox access?

Act quickly if you find this. Remove any strange permissions. Change passwords for the accounts that were affected. Tell your security team right away. Check the audit logs for more information. You might need to tell compliance officers about the incident.

Do shared mailboxes need auditing?

Yes, you should turn on auditing for shared mailboxes. Attackers like to target these because many people can use them. Use PowerShell to turn on auditing for all shared mailboxes.