Compliance is one of the areas Microsoft has invested a lot in the past few years across all of the Office 365 workloads. The list of improvements is huge, and more are coming our way. It seems however that they forgot to announce a minor, but important change we got in Exchange Online – we are now able to audit Owner actions!
Up until now, we were able to audit Exchange Online mailboxes, but the AuditOwner setting were not controllable and by default no actions were audited even when auditing was enabled for the mailbox. With the recent changes, we can now use PowerShell to specify which actions should be audited for owners (no action is audited by default):
PS C:\>Set-Mailbox vasil -AuditOwner MailboxLogin,HardDelete,Create,Move,MoveToDeletedItems,SoftDelete,Update PS C:\> (Get-Mailbox vasil).AuditOwner Update Move MoveToDeletedItems SoftDelete HardDelete Create MailboxLogin
Once you configure the AuditOwner settings, it will take some time for events to be auditable. But the wait is well worth it – not only you will be able to prove wrong those pesky users that always seem to claim how messages disappear by themself, but you can gather information on things such as the IP a given user is logging from, the protocol or client version he is using, etc. Here’s an example:
PS C:\> ClientInfoString ClientIPAddress ClientMachineName ClientProcessName ClientVersion LastAccessed --------- ---------------- --------------- ----------------- ----------------- ------------- ------------ MoveToDeletedItems Client=MSExchangeRPC XXX.XXX.XXX.XXX OUTLOOK.EXE 15.0.4771.1003 05/12/2015 10:19:11 Update Client=MSExchangeRPC XXX.XXX.XXX.XXX OUTLOOK.EXE 15.0.4771.1003 05/12/2015 10:19:11 SoftDelete Client=MSExchangeRPC XXX.XXX.XXX.XXX OUTLOOK.EXE 15.0.4771.1003 05/12/2015 10:18:00 Create Client=MSExchangeRPC XXX.XXX.XXX.XXX OUTLOOK.EXE 15.0.4771.1003 05/12/2015 10:16:19 MailboxLogin Client=Microsoft.Excha... XXX.XXX.XXX.XXX 05/12/2015 10:04:50
Another small but important change – we can now increase the age limit for entries kept in the mailbox audit log indefinitely. The relevant TechNet articles have been updated with this information, and if you need more details on the types of events you can audit in O365, make sure to check this article: https://technet.microsoft.com/en-us/library/Dn708475.aspx
Really good news!