Mailbox auditing is on by default for the entire Office 365 tenant, but can be turned off. Turning off mailbox auditing will result mailbox actions no longer being audited (even if auditing is enabled on at a mailbox level). Existing mailbox audit records will however be retained until the audit log age limit for the record expires.

The following logon types are used to classify the audited actions on a mailbox:

  • Owner: The account that’s associated with the mailbox.

  • Delegate: A user who’s been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.

  • Admin: The mailbox is searched with a Microsoft eDiscovery tool or is accessed with the Microsoft Exchange Server MAPI Editor.

While mailbox auditing cannot be disabled for a specific mailbox if mailbox auditing is enabled tenant-wide, mailbox audit logging can still be bypassed by defined users.

In such circumstances, mailbox Owner, Delegate, or Admin access and actions, to any mailbox, made by the bypassing user or computer account aren’t logged.

Connect-ExchangeOnline

# Retrieves the mailbox auditing status at the Office365 tenant level.
Get-OrganizationConfig | Select-Object Identity,Name,AuditDisabled

# Retrieves the mailbox auditing bypass status for the specified mailbox.
Get-MailboxAuditBypassAssociation -Identity <EMAIL> | Select-Object Id,DistinguishedName,AuditBypassEnabled

# Retrieves mailbox auditing settings, including the operations logged for the specified mailbox.
Get-Mailbox -Identity <EMAIL> | Select-Object Identity,Name,AuditEnabled,DefaultAuditSet,AuditLogAgeLimit,AuditOwner,AuditDelegate,AuditAdmin | ConvertTo-Json
Tags: azure_security_review

View on GitHub