How to configure Mailbox Auditing

It is possible to monitor activity on your Office 365 tenant. This includes activities such as which accounts are being accessed by a Service Account by using Mailbox auditing. The documentation below describes how to turn on mailbox auditing, enabling auditing on mailboxes, reviewing the output of audit logs and setting alerts against audit policies.

Turning on Mailbox Auditing in Office 365 #

  1. Sign into the Security & Compliance Center with your Office 365 Admin account.
  2. Select Search & Investigation, and then select Audit log search.
  3. Click on “Start recording user and admin activity”. If this doesn’t come up, auditing has already been turned on for your organization.
  4. You’ll see a message advising that auditing has been enabled for your organization. It can take up to two hours for auditing to be enabled based on the size of your organization. Results of searches are limited for the first 24 hours whilst data is indexed.

The next step is to enable Mailbox Auditing on the users you’d like to have the ability to audit.

Enable mailbox auditing #

To enable auditing for a single mailbox you need to use this PowerShell command: In our example, the user is called “Cronofy Test”.

Set-Mailbox -Identity "Cronofy Test" -AuditEnabled $true

To enable auditing for all Office 365 mailboxes in your organization, use this PowerShell command:

Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled$true.

For more information about mailbox auditing, or to make specific choices about what mailbox actions get audited, see this documentation from Microsoft on enabling mailbox auditing in Office 365.

Reviewing Mailbox Audit Logs #

  1. Sign in to the Security & Compliance Center with your Office 365 Admin user account.
  2. Select Search & Investigation, and then select Audit log search.
  3. Select the activities you want to audit. For example, mailbox activities such as one or more users signing into their mailbox or purging email.

You can only view events that have occurred after you turned on auditing in Office 365. Mailbox auditing is included in the Audit log search, but you must turn on mailbox auditing separately. For more information, see the previous tab: Enable mailbox auditing.

Setting an alert on your Service Account #

For added security, it is possible for you to set an alert when an account performs specific operations. In the example below, we will create an alert for when a service account accesses any mailbox item.

  1. To configure this, head to Manage Alerts in your Office365 tenant, and click on “New Alert Policy”.
  2. Name your alert, enter a description if you wish.
  3. Under activities, choose which activity you’d like to alert against. We’ll select “Accessed mailbox item”.
  4. Select the user whom you want to alert against. For example, “alert me when x user accesses mailbox items”.
  5. Finally select who you want the alert to be sent to, and click on Save.

You’ll now recieve an alert anytime the rule you created is triggered.

Further reading #

More information on action and alerting type can be found in Microsoft’s documentation Enabling mailbox auditing in Office 365.

Search