Because mailboxes can contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it's important that you track who logs on to the mailboxes in your organization and what actions are taken. It's especially important to track access to mailboxes by users other than the mailbox owner. These users are referred to as delegate users.
By using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators.
When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) will be logged for a logon type (administrator, delegate user, or owner). Audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.
Mailbox audit logs
Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder. This ensures that all audit log entries are available from a single location, regardless of which client access method was used to access the mailbox or which server or computer an administrator uses to access the mailbox audit log. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet. If a mailbox is on In-Place Hold or Litigation Hold, audit log entries are only retained until the audit log retention period for the mailbox is reached. To retain audit log entries longer, you have to increase the retention period by changing the value for the AuditLogAgeLimit parameter. You can also export audit log entries before the retention period is reached. For more information, see:
When you enable mailbox audit logging for a mailbox, access to the mailbox and certain administrator and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions should be audited.
Mailbox actions logged by mailbox audit logging
The following table lists the actions logged by mailbox audit logging, including the logon types for which the action can be logged. Note that an administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.
If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the age limit for audit log entries is reached.
Action
Description
Admin
Delegate
Owner
Copy
An item is copied to another folder.
Yes
No
No
Create
An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited.
Yes1
Yes1
Yes
FolderBind
A mailbox folder is accessed.
Yes1
Yes2
No
HardDelete
An item is deleted permanently from the Recoverable Items folder.
Yes1
Yes1
Yes
MailboxLogin
The user signed in to their mailbox.
No
No
Yes3
MessageBind
An item is accessed in the reading pane or opened.
Yes
No
No
Move
An item is moved to another folder.
Yes1
Yes
Yes
MoveToDeletedItems
An item is moved to the Deleted Items folder.
Yes1
Yes
Yes
SendAs
A message is sent using Send As permissions.
Yes1
Yes1
No
SendOnBehalf
A message is sent using Send on Behalf permissions.
Yes1
Yes
No
SoftDelete
An item is deleted from the Deleted Items folder.
Yes1
Yes1
Yes
Update
An item's properties are updated.
Yes1
Yes1
Yes
1 Audited by default if auditing is enabled for a mailbox.
2 Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.
3 Auditing for owner logins to a mailbox works only for POP3, IMAP4, or OAuth logins. It doesn't work for NTLM or Kerberos logins to the mailbox.
Searching the mailbox audit log
You can use the following methods to search mailbox audit log entries:
Synchronously search a single mailbox: You can use the Search-MailboxAuditLog cmdlet to synchronously search mailbox audit log entries for a single mailbox. The cmdlet displays search results in the Exchange Management Shell window. For details, see Search Mailbox Audit Log for a Mailbox.
Asynchronously search one or more mailboxes: You can create a mailbox audit log search to asynchronously search mailbox audit logs for one or more mailboxes, and then have the search results sent to a specified email address. The search results are sent as an XML attachment. To create the search, use the New-MailboxAuditLogSearch cmdlet. For details, see Create a Mailbox Audit Log Search.
Use auditing reports in the Exchange admin center (EAC): You can use the Auditing tab in the EAC to run a non-owner mailbox access report (contains entries for admin and delete actions) or export non-owner entries from the mailbox audit log. For details, see:
The following table describes the fields logged in a mailbox audit log entry.
Field
Populated with
Operation
One of the following actions: Copy Create FolderBind HardDelete MailboxLogin MessageBind Move MoveToDeletedItems SendAs SendOnBehalf SoftDelete Update
OperationResult
One of the following results: Failed PartiallySucceeded Succeeded
LogonType
Logon type of the user who performed the operation. Logon types include: Owner Delegate Admin
DestFolderId
Destination folder GUID for move operations.
DestFolderPathName
Destination folder path for move operations.
FolderId
Folder GUID.
FolderPathName
Folder path.
ClientInfoString
Details that identify which client or Exchange component performed the operation.
ClientIPAddress
Client computer IP address.
ClientMachineName
Client computer name.
ClientProcessName
Name of the client application process.
ClientVersion
Client application version.
InternalLogonType
The type of internal user (a person in your organization) who performed the operation. The possible values for this field are the same ones as the LogonType field.
MailboxOwnerUPN
Mailbox owner user principal name (UPN).
MailboxOwnerSid
Mailbox owner security identifier (SID).
DestMailboxOwnerUPN
Destination mailbox owner UPN, logged for cross-mailbox operations.
DestMailboxOwnerSid
Destination mailbox owner SID, logged for cross-mailbox operations.
DestMailboxOwnerGuid
Destination mailbox owner GUID.
CrossMailboxOperation
Information about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages between mailboxes).
LogonUserDisplayName
Display name of user who is logged on.
DelegateUserDisplayName
Delegate user display name.
LogonUserSid
SID of user who is logged on.
SourceItems
ItemID of mailbox items on which the logged action is performed (for example, move or delete). For operations performed on a number of items, this field is returned as a collection of items.
SourceFolders
Source folder GUID.
ItemId
Item ID.
ItemSubject
Item subject.
MailboxGuid
Mailbox GUID.
MailboxResolvedOwnerName
Mailbox user resolved name in the format DOMAIN\ SamAccountName.
LastAccessed
Time when the operation was performed.
Identity
Audit log entry ID.
More information
Administrator access to mailboxes: Mailboxes are considered to be accessed by an administrator only in the following scenarios:
Bypassing mailbox auditing logging: Mailbox access by authorized automated processes such as accounts used by third-party tools or accounts used for lawful monitoring can create a large number of mailbox audit log entries and may not be of interest to your organization. You can configure such accounts to bypass mailbox audit logging. For details, see Bypass a User Account From Mailbox Audit Logging.
Logging mailbox owner actions: For mailboxes such as the Discovery Search Mailbox, which may contain more sensitive information, consider enabling mailbox audit logging for mailbox owner actions such as message deletion.
Learn how compliance works in Exchange Online. Learn how to use retention and data loss prevention policies to keep the data and communications you're required to maintain, how to find that data and communications, and how to ensure you're ready for an audit.