Run a non-owner mailbox access report

[Cette rubrique est une documentation préliminaire et peut être modifiée dans les versions ultérieures. Des rubriques vides sont incluses comme espaces réservés. N’hésitez pas à nous transmettre vos commentaires. Envoyez-nous un e-mail à l’adresse ExchangeHelpFeedback@microsoft.com.]  

S’applique à :Exchange Online, Exchange Server 2016

Summary: Learn how to enable mailbox audit logging in Exchange so that you run reports on non-owner mailbox access.

The Non-Owner Mailbox Access Report in the Centre d’administration Exchange (EAC) lists the mailboxes that have been accessed by someone other than the person who owns the mailbox. When a non-owner accesses a mailbox, Exchange logs information about this action. Exchange stores this mailbox audit log as an email message in a hidden folder in the audited mailbox. The report displays entries from this log as search results and includes any mailboxes accessed by a non-owner, who accessed each mailbox and when, the actions performed by non-owners, and whether or not the actions were successful.

Exchange logs specific actions by non-owners, which includes administrators and users who have been assigned permissions to a mailbox (who are called delegated users). You can also narrow the search to users inside or outside your organization. By default, Exchange retains entries in the mailbox audit log for 90 days.

You enable mailbox audit logging in the Environnement de ligne de commande Exchange Management Shell.

tipConseil :
Vous rencontrez des difficultés ? Demandez de l’aide en participant aux forums Exchange. Visitez le forum à l’adresse : Exchange Server, Exchange Online ou Exchange Online Protection.

You have to enable mailbox audit logging for each mailbox that you want to include in a non-owner mailbox access report. If you don't enable mailbox audit logging, you won't get any results when you run a report.

To enable mailbox audit logging for a single mailbox, run the following command in the Environnement de ligne de commande Exchange Management Shell.

Set-Mailbox <Identity> -AuditEnabled $true

For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.

Set-Mailbox "Florence Flipo" -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands.

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Run the following command to verify that you’ve successfully configured mailbox audit logging.

Get-Mailbox | FL Name,AuditEnabled

A value of True for the AuditEnabled property verifies that audit logging is enabled.

  1. In the EAC, navigate to Compliance Management > Auditing.

  2. Click Run a non-owner mailbox access report.

    By default, Exchange runs the report for non-owner access to any mailboxes in the organization over the past two weeks. Audit logging was enabled for the mailboxes listed in the search results.

  3. To view non-owner access for a specific mailbox, select the mailbox from the list of mailboxes. View the search results in the details pane.

tipConseil :
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click Search to re-run the report.

You can also specify that you want to search for the non-owner access type, also called the logon type. Here are your options:

  • All non-owners   Search for access by administrators and delegated users inside your organization. Also includes access user outside of your organization.

  • External users   Search for access by users outside of your organization.

  • Administrators and delegated users   Search for access by administrators and delegated users inside your organization.

  • Administrators   Search for access by administrators in your organization.

When you run a non-owner mailbox access report, the EAC search results displays entries from the mailbox audit log. Each report entry contains this information:

  • Who accessed the mailbox and when.

  • The actions performed by the non-owner.

  • The affected message and its folder location.

  • Whether the action was successful.

The following table describes the types of actions logged, and whether these actions are logged by default for access by administrators and for access by delegated users. If you want to track actions that aren't logged by default, you have to use the Environnement de ligne de commande Exchange Management Shell to enable logging of those actions.

 

Action Description Administrators Delegated users

Update

A message was changed.

Yes

Yes

Copy

A message was copied to another folder.

No

No

Move

A message was moved to another folder.

Yes

No

Move To Deleted Items

A message was moved to the Deleted Items folder.

Yes

No

Soft-delete

A message was deleted from the Deleted Items folder.

Yes

Yes

Hard-delete

A message was purged from the Recoverable Items folder.

Yes

Yes

FolderBind

A mailbox folder was accessed.

Yes

No

Send as

A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner.

Yes

Yes

Send on behalf of

A message was sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.

Yes

No

MessageBind

A message was viewed in the preview pane or opened.

No

No

To verify that you’ve successfully run a non-owner mailbox access report, check the search results pane. The results pane displays the mailboxes that you ran the report for, whether an individual user or a group of mailboxes. If there are no results for a specific mailbox, it’s possible there was no non-owner access or there was no non-owner access in the specified date range. As we previously recommended, be sure to verify that you enabled audit logging for the mailboxes you want to search for access by non-owners.

 
Afficher: