Exchange Online auditing expanded to cover owner actions!

Posted on Vasil Michev

​Compliance is one of the areas Microsoft has invested a lot in the past few years across all of the Office 365 workloads. The list of improvements is huge, and more are coming our way. It seems however that they forgot to announce a minor, but important change we got in Exchange Online – we are now able to audit Owner actions!

Up until now, we were able to audit Exchange Online mailboxes, but the AuditOwner setting were not controllable and by default no actions were audited even when auditing was enabled for the mailbox. With the recent changes, we can now use PowerShell to specify which actions should be audited for owners (no action is audited by default):

PS C:\>Set-Mailbox vasil -AuditOwner MailboxLogin,HardDelete,Create,Move,MoveToDeletedItems,SoftDelete,Update

PS C:\> (Get-Mailbox vasil).AuditOwner
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin

Once you configure the AuditOwner settings, it will take some time for events to be auditable. But the wait is well worth it – not only you will be able to prove wrong those pesky users that always seem to claim how messages disappear by themself, but you can gather information on things such as the IP a given user is logging from, the protocol or client version he is using, etc. Here’s an example:

PS C:\>            ClientInfoString          ClientIPAddress           ClientMachineName         ClientProcessName         ClientVersion            LastAccessed
---------                 ----------------          ---------------           -----------------         -----------------         -------------            ------------
MoveToDeletedItems        Client=MSExchangeRPC      XXX.XXX.XXX.XXX                                        OUTLOOK.EXE               15.0.4771.1003           05/12/2015 10:19:11
Update                    Client=MSExchangeRPC      XXX.XXX.XXX.XXX                                        OUTLOOK.EXE               15.0.4771.1003           05/12/2015 10:19:11
SoftDelete                Client=MSExchangeRPC      XXX.XXX.XXX.XXX                                        OUTLOOK.EXE               15.0.4771.1003           05/12/2015 10:18:00
Create                    Client=MSExchangeRPC      XXX.XXX.XXX.XXX                                        OUTLOOK.EXE               15.0.4771.1003           05/12/2015 10:16:19
MailboxLogin              Client=Microsoft.Excha... XXX.XXX.XXX.XXX                                                                                           05/12/2015 10:04:50

Another small but important change – we can now increase the age limit for entries kept in the mailbox audit log indefinitely. The relevant TechNet articles have been updated with this information, and if you need more details on the types of events you can audit in O365, make sure to check this article: https://technet.microsoft.com/en-us/library/Dn708475.aspx

Really good news!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.