Using PowerShell for Auditing reports in Exchange Online

Note

Classic Exchange admin center is in the process of being deprecated in worldwide deployment and the UI support for auditing will be discontinued in the new Exchange admin center. Instead, administrators can utilize the PowerShell commandlets (cmdlets) mentioned in this article to fulfill their auditing requirements.

Legacy Exchange Online data loss prevention in the Exchange admin center is in the process of being deprecated.

Use audit logging to troubleshoot configuration issues by tracking specific changes made by admins and to help you meet regulatory, compliance, and litigation requirements. Exchange Online or standalone Exchange Online Protection (EOP) without Exchange Online mailboxes provides two types of audit logging:

  • Management audit logging: Records any action, based on an Exchange Online PowerShell or standalone Exchange Online Protection PowerShell cmdlet, performed by an admin. These records can help you troubleshoot configuration issues or identify the cause of security-related or compliance-related problems. Actions performed by Microsoft datacenter administrators and delegated admins, are also recorded in Exchange Online.

  • Mailbox audit logging (Exchange Online only): Records when a mailbox is accessed by an admin, a delegated user, or the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they've done.

Export audit logs

Comprehensive auditing capabilities will be discontinued in the new Exchange admin center, but you can still export the management log and the mailbox audit log using the PowerShell cmdlets.

Note

Mailbox audit logging is not available in standalone EOP. Management log export from the EAC is not available in standalone EOP, but is available in PowerShell by using the New-AdminAuditLogSearch cmdlet. For instructions, see Use PowerShell to search for audit log entries and send results to a recipient.

  • Export management audit log: Any action performed by an admin that's based on an Exchange Online PowerShell or standalone Exchange Online Protection PowerShell cmdlet that doesn't begin with the verbs Get, Search, or Test is logged in the management log. Audit log entries include the cmdlet that was run, the parameter and values used with the cmdlet, and when the operation was successful. You can export records of configuration changes in your organization from management logs. The log entries are saved in an XML file and the file is sent as an attachment to specified users within 24 hours via email. For more information, see:

    To export the management log, run the following cmdlet:

    Get-MailboxRegionalConfiguration; Get the list of configuration changes: Search-AdminAuditLog -StartDate <DateTime> -EndDate <DateTime> -ExternalAccess:$false -ResultSize 500; Get details about each change: Search-AdminAuditLog -StartDate <DateTime> -Cmdlets <cmdlet Name> -ObjectIds <ObjectId
    
  • Export mailbox audit logs: When mailbox audit logging is enabled for a mailbox, Exchange Online stores a record of actions performed on mailbox data by nonowners in the mailbox audit log, which is stored in a hidden folder in the mailbox being audited. Entries in this log indicate who accessed the mailbox and when the action's been performed, and whether the action was successful. You can export nonowner access entries from mailbox logs. Log entries are saved in an XML file and are attached to an email message, and sent to specified users within 24 hours. For more information, see Export mailbox audit logs.

    To export the mailbox audit log, use the following cmdlet:

    Get-MailboxRegionalConfiguration; New-MailboxAuditLogSearch -StartDate '<DateTime>' -EndDate '<dateTime>' -Mailboxes @(<MailIds of enquired mailboxes>) -LogonTypes @(<List of Strings>) -StatusMailRecipients @(<MailIds of Recipients>) -ShowDetails 'True' 
    

Configure Outlook on the web to allow XML attachments

When you export the mailbox audit log or management log, the log is attached as an XML file in an email message. However, Outlook on the web (formerly known as Outlook Web App) blocks XML attachments by default. If you want to use Outlook on the web to access exported audit logs, you need to configure Outlook on the web to allow XML attachments.

In Exchange Online PowerShell or standalone Exchange Online Protection PowerShell, run the following command to allow XML attachments in Outlook on the web:

Set-OwaMailboxPolicy -Identity Default -AllowedFileTypes @{Add=".xml"}

For detailed syntax and parameter information, see Set-OwaMailboxPolicy

Run auditing reports

Administrators can effectively manage and monitor system activities, and ensure compliance and security standards are upheld by using specific cmdlets. These cmdlets provide necessary control and visibility to admins enabling them to effectively track and manage user actions within the system.

  • Run a non-owner mailbox access report: Use this report to search the administrative logs for mailboxes that have been opened by someone other than the mailbox owner. For more information, see Run a nonowner mailbox access report.

    Important

    You must enable auditing for each mailbox for which you want to report non-owner opening. When you run the report, you won't be able to see results for mailboxes that don't have logging enabled.

    Use the following cmdlet to run a nonowner mailbox access report:

    Search-MailboxAuditLog -StartDate '<DateTime>' -EndDate '<DateTime>' -LogonTypes @(<List of Types>) -identity 'sharedmailbox' -showDetails:$true -resultSize 501 
    
  • Run an administrator role group report: Use this report to find changes made to role groups in the administration log (role groups are used to assign administrative permissions to users). For more information, see Search the role group changes.

    Use the following cmdlet to run an administrator role group report:

    Search-AdminAuditLog -IsSuccess:$true -Cmdlets @('Add-RoleGroupMember','Remove-RoleGroupMember','Update-RoleGroupMember','New-RoleGroup','Remove-RoleGroup') -StartDate '<DateTime>' -EndDate '<DateTime>' -ObjectIds @(<ObjectIds of Role Groups>) -resultSize 501 
    
  • Run a local eDiscovery and retention report: Use this report to search the management log for local discovery searches and changes to in-place hold. For more information, see:

    Use the following cmdlet to run a local eDiscovery and retention report:

    Search-AdminAuditLog -Cmdlets @('New-MailboxSearch', 'Start-MailboxSearch', 'Get-MailboxSearch', 'Stop-MailboxSearch', 'Remove-MailboxSearch', 'Set-MailboxSearch') -StartDate '<DateTime>' -EndDate '<DateTime>' -UserIds <UserIds> -IsSuccess $true
    
  • Run a mailbox broken procedural hold report:: Use this report to determine whether procedural hold is enabled or not for a user's mailbox from the management log. For more information, see Run a mailbox broken procedural hold report.

    Use the following cmdlet to run a mailbox broken procedural hold report:

    Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters LitigationHoldEnabled -StartDate <DateTime> -EndDate <DateTime> -UserIds <UserIds> -IsSuccess $true 
    
  • Run the management log report: Use this report to view entries in the management log that shows what changes your organization's admins have made to the configuration. For more information, see View the management log.

    Use the following cmdlet to run the management log report:

    Get-MailboxRegionalConfiguration; Get the list of configuration changes: Search-AdminAuditLog -StartDate <DateTime> -EndDate <DateTime> -ExternalAccess:$false -ResultSize 500; Get details about each change: Search-AdminAuditLog -StartDate <DateTime> -Cmdlets <cmdlet Name> -ObjectIds <ObjectId>  
    
  • Run the external management log report: Use this report to view entries in the administration log that shows changes that Microsoft or a delegated administrator have made to the configuration of Exchange Online services. For more information, see View and export the external management log.

    Use the following cmdlet to run the external management log report:

    Search-AdminAuditLog -IsSuccess:$true -StartDate <DateTime> -EndDate <DateTime> -ExternalAccess:$true -ObjectIds <ObjectId> -Cmdlets <Cmdlet Name> -resultSize 501
    

* This report is available in standalone EOP organizations.

Configure mailbox audit logging

Note

Mailbox audit logging is not available in standalone EOP.

As of January 2019, mailbox audit logging on by default is enabled for all Exchange Online organizations. For more information, see Manage mailbox auditing.

Give users access to Auditing reports

By default, admins can access and run any of the auditing reports using the above mentioned cmdlets . However, other users, such as a records manager or legal staff, have to be assigned the necessary permissions.

  • The Auditing Logs role allows users to view the Auditing page to run any of the available reports, export the mailbox audit log, and export and view the management log. By default, this role is assigned to the Organization Management, Compliance Management, and Records Management role groups.
  • The View-Only Audit Logs role allows user to run auditing reports, but not to export audit logs. By default, this role is assigned to the Organization Management and Compliance Management role groups.

The easiest way to give users access to the reports is to add them to the Records Management role group, which has the Auditing Logs role assigned.

Use the EAC to add users to the Records Management role group

  1. On the new EAC homepage, select Roles to expand and then click Admin Roles.

  2. In the list of role groups, click Records Management. This will open Records Management details pane.

  3. Click Assigned and then click Add Add Icon. to add new members.

  4. In the Select Members dialog box, select the user. You can search for a user by typing all or part of a display name, and then clicking Search Search icon.. You can also sort the list by clicking the Name or Display Name column headings.

  5. Click Add Add Icon. and then click OK to return to the role group page.

  6. Click Save to save the change to the role group.

Use PowerShell to add users to the Records Management role group

In Exchange Online PowerShell or standalone Exchange Online Protection PowerShell, replace <Identity> with the name, alias, email address, or account name of the user or group, and then run the following command to assign the Audit Logs role to the user:

Add-RoleGroupMember -Identity "Records Management" -Member <Identity>

For detailed syntax and parameter information, see Add-RoleGroupMember.