Microsoft Office 365 - Blog

Mailbox Auditing for Office 365 – Part 2

In Part 1 of this series we started to explore the auditing functionality natively available within Exchange Online as part of your Office 365 tenant. If you’re not caught up, go back and read that blog post first. If you’re all caught up, then let’s get to it.

What is the “non-owner mailbox access report”?

This one is well named as it gives you a report of anyone who has access a specific mailbox besides the owner. This auditing information is kept within a hidden folder inside of each user’s mailbox so that it is carried forward with that mailbox wherever it goes. This information is kept for 90 days in Exchange Online, and 90 days by default for on-premises Exchange servers too.

Below is a screenshot of this report. You’ll note I’ve cut out any personal information.

Non-owner Mailbox Access Report

You can see that I ran a general report asking for all non-owner access to mailboxes by administrators during a set of dates. Each non-owner access event is shown. As I ran this report against a very large organization, you can see there are a lot of them.

So what’s different about “Export mailbox audit logs…”?

The difference with this report is that it will cause Exchange to prepare and them email you a XML formatted report that is suitable for sharing with others. For instance, say your boss comes to you and says “Sally in accounting thinks that someone has been accessing her mailbox and reading her mail. She says that messages she is sure she has not read are showing read in her Outlook client. “

In that situation you can quickly run the non-owner access report to see if anyone has been accessing Sally’s mailbox. If that report shows you that someone has actually been accessing Sally’s mailbox, you can then export the mailbox audit logs and put together an XML report that you can them forward to your boss for him to use.

Great. Summarize the auditing in Exchange Online for me one more time, please.

Auditing is a great and easy to use feature within Exchange Online. The auditing portal can be access from within the Exchange admin center, and it gives administrators access to eight different reports showing the auditing information for your tenant. These reports can show you

  • Who has accessed a specific mailbox
  • What changes have been made to administrator role groups
  • What changes have been made to In-Place eDiscovery searches
  • What mailboxes have been added or removed from litigation hold
  • Reports from mailbox audit logs
  • Reports from admin audit logs
  • The entire admin audit log

These reports are great, however there are limitations. The largest limitation, at least in my opinion, is the 90-day time limit for this data. This limit in Office 365 and Exchange Online means that if your organization has policies that require the use of this data, you must plan for that expiration period within the policies.

If your organization is on Office 365, I strongly suggest you familiarize yourself with these reports.

Nathan O’Bryan
MCSM: Messaging | MVP: Office Servers and Services
http://www.mcsmlab.com | @MCSMLab