Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (2025)

You can use audit logging in on-premises Exchange Server and cloud-based Exchange Online (Microsoft 365) to track all user actions on any items in a mailbox. By using mailbox activity auditing, an Exchange administrator can easily answer the popular question “How to find out a user who deleted an email from a shared mailbox?

In this article, we’ll show you how to enable and configure audit logging in Exchange Server and Microsoft 365 mailboxes and how to review audit logs.

Contents:

  • Enable Audit Logging in Office 365 (Microsoft 365) Mailboxes
  • How to Enable Mailbox Audit Logging in Exchange Server
  • Find Out Who Deleted an Email from a Shared Exchange Mailbox

Enable Audit Logging in Office 365 (Microsoft 365) Mailboxes

First of all, let’s look at the audit features in Microsoft 365 tenant mailboxes. They are available only for E3- and E5-level subscribers.

Open PowerShell and connect to your Exchange Online tenant using the EXOv3 module:

Connect-ExchangeOnline -UserPrincipalName [emailprotected] -ShowProgress $true

The audit logging is enabled by default in Exchange Online (Office 365) for all tenants since late 2018.

Get-OrganizationConfig | Format-List AuditDisabled

You can enable/disable the audit in the settings of each mailbox. Let’s display the current audit settings for all mailboxes:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Select UserPrincipalName,AuditEnabled

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (1)

As you can see, the audit is enabled. You can disable auditing for a specific mailbox:

Set-Mailbox maxbak -AuditEnabled $false

The Exchange allows using the following levels of mailbox activity auditing

  • AuditOwner –audit owner actions;
  • AuditAdmin –audit administrator actions;
  • AuditDelegate –audit actions of other users who have been granted access to the mailbox.

The following events may be registered in the audit log:

  • Copy
  • Create
  • FolderBind
  • HardDelete
  • MailboxLogin
  • MessageBind
  • Move
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • SoftDelete
  • Update
  • UpdateCalendarDelegation
  • UpdateFolderPermissions

For each audit level, you can configure the events that should be logged. You can get current audit settings using these commands:

Get-Mailbox maxbak| Select-Object -ExpandProperty AuditOwner
Get-Mailbox maxbak| Select-Object -ExpandProperty AuditDelegate
Get-Mailbox maxbak| Select-Object -ExpandProperty AuditAdmin

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (2)

You can configure only certain types of events to be registered in the log. For example, to audit item removal events:

Set-Mailbox maxbak -AuditOwner HardDelete,SoftDelete

If you only want to add other audit events to the existing ones:

Set-Mailbox maxbak -AuditOwner @{Add=”MailboxLogin”,”HardDelete”}

Audit logs are stored directly in the Audits folder of each mailbox. The folder is unavailable from Outlook or OWA.

You can get the current audit log size in a mailbox using the command below:

Get-MailboxFolderStatistics -Identity [emailprotected] | where {$_.FolderType -eq 'Audits'} | ft Identity, ItemsInFolder, FolderSize –auto

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (3)

How to Enable Mailbox Audit Logging in Exchange Server

In the on-premises Exchange Server, mailbox audit is available in 2010 SP1+. By default, the mailbox audit is disabled.

Connect to your on-prem Exchange Server using PowerShell:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mun-mbx01.woshub.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session

You can enable audit logging for a single mailbox:

Set-Mailbox maxbak -AuditEnabled $true

Or for all mailboxes in your Exchange organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

In Exchange Server mailboxes, administrator and delegate actions are audited (the default settings differ from those in Exchange Online). Owner activity auditing is disabled. If you enable an audit of all events of a mailbox owner, the log size will grow much faster. It is better to enable selective auditing of some actions (for example, deleting or moving):

Set-Mailbox maxbak -AuditOwner SoftDelete,HardDelete,MoveToDeletedItems,Move

Audit events are stored for 90 days and deleted afterward. You can manage audit log depth (and size). For example, you can reduce the retention period for events in a mailbox from 90 to 30 days:

Get-Mailbox maxbak |select AuditLogAgeLimit
Set-Mailbox maxbak -AuditLogAgeLimit 30 -Force

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (4)

Find Out Who Deleted an Email from a Shared Exchange Mailbox

Suppose, there is a shared mailbox in your Exchange tenant/organization accessible by other users. One of the users deleted an important email and you need to find out who did it.

To search mailbox audit logs, the Search-MailboxAuditLog cmdlet is used. The cmdlet is available both in on-prem Exchange Server and in cloud Exchange Online (some options may differ).

The following command displays all item activity (audit log) on a specific shared mailbox since February 1:

Search-MailboxAuditLog -Identity [emailprotected] -StartDate 2/1/2022 -ShowDetails| ft MailboxOwnerUPN, LogonType, LogonUserDisplayName, Operation,OperationResult, SourceItemSubjectsList,FolderPathName, DestFolderPathName,LastAccessed|ft

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (5)

The search may take quite a long time depending on the number of audit events. The image shows who has deleted an email with the specified subject (the MoveToDeleteItems user action).

Use the Search-Mailbox cmdlet to search for email across all Exchange mailboxes.

You can apply detailed filters to your audit logs. For example, you want to select delete events only (HardDelete, SoftDelete, MoveToDeletedItems) related to non-owner users:

Search-MailboxAuditLog -Identity support [emailprotected] -StartDate 2/2/2022 -EndDate 2/8/2022 –LogonTypes Delegate,Admin -ShowDetails| Where-Object {$_.Operation -like "*Delete*"}|ft MailboxOwnerUPN, LogonType,LogonUserDisplayName,Operation, OperationResult,SourceItemSubjectsList,FolderPathName, DestFolderPathName,LastAccessed|ft

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (6)

To perform an asynchronous search for audit events, the New-MailboxAuditLogSearch cmdlet is used. It causes less load on the mailbox server, runs in the background, allows you to find the information you want among thousands of events effectively, and sends results to the specified mailbox.

You can also search audit logs in Compliance Management->Auditing of the Exchange Admin Center (EAC). You can use the “Run a non-owner mailbox access report” or “Export mailbox audit logs” options.

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (7)

In Exchange Online, you can use either the EAC (a legacy way) or Microsoft 365 Compliance Center (https://compliance.microsoft.com/homepage) to search the audit logs. To search for an event, go to Solutions -> Audit -> Search. Select a period, choose “Moved messages to Deleted Items folder”, “Deleted messages from Deleted Items folder”.

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (8)

You can search the audit logs in the Compliance Center using the Search-UnifiedAuditLog cmdlet.

Also, you can use Exchange audit events to check if an email has been read by the recipient.

Mailbox Audit Logging in Exchange and Microsoft 365 | Windows OS Hub (2025)

FAQs

How do I audit my mailbox access in Office 365? ›

Sign in to the Security & Compliance Center with your Office 365 Admin user account. Select Search & Investigation, and then select Audit log search. Select the activities you want to audit. For example, mailbox activities such as one or more users signing into their mailbox or purging email.

What gets logged in the mailbox audit log? ›

Mailbox actions logged by mailbox audit logging
ActionDescriptionOwner
MessageBindAn item is accessed in the reading pane or opened.No
MoveAn item is moved to another folder.Yes
MoveToDeletedItemsAn item is moved to the Deleted Items folder.Yes
SendAsA message is sent using Send As permissions.No
8 more rows
Feb 21, 2023

How do I export mailbox audit logs from Office 365? ›

Run an audit log search and revise the search criteria if necessary until you have the desired results. On the search results page, select Export. This option exports all the audit records from the audit log search you ran in step 1, and adds the raw data from the audit log to a CSV file.

How can I tell who accessed my Exchange mailbox? ›

How to Detect Who Was Accessing Shared Mailbox in Office 365
  1. Open Exchange Administration Center → Navigate to "Compliance Management" Auditing.
  2. Click "Run a non-owner mailbox access report". ...
  3. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.

What is the audit log of the mailbox? ›

Mailbox audit logging is turned on by default in all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.

How do I know if audit log is enabled in Office 365? ›

Go to the Microsoft 365 Security & Compliance Center. Go to Search and then Audit log search. Click Turn on auditing by clicking the Start recording user and admin activity banner.

How to see exchange audit logs? ›

The underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is Search-UnifiedAuditLog. That means you can use this cmdlet to search the audit log instead of using the search tool on the Audit page in the compliance portal. You have to run this cmdlet in Exchange Online PowerShell.

How to check mail logs in Office 365? ›

Steps to check email activity using M365 Manager Plus
  1. Go to Audit under Auditing & Monitoring.
  2. Navigate to Exchange Online → Exchange Activity.
  3. Choose a suitable report from the list of reports available.
  4. Select the Domains and Period for report generation.

What does the audit log reveal? ›

Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity. All of the devices in your network, your cloud services, and your applications emit logs that may be used for auditing purposes.

How long are audit logs kept in Office 365? ›

However, logging capabilities are not turned on by default and the retention period for O365 audit logs varies by license type. An audit log retention policy lets you specify how long to retain audit logs in your organization. Logs are kept for 90 or 365 days, or up to 10 years, depending on the license.

Where are Exchange mailbox logs stored? ›

Default location of log files:
  • Mailbox servers: %ExchangeInstallPath%TransportRoles\Logs\MessageTracking : MSGTRK files for the Transport service. MSGTRMD files for the Mailbox Transport Delivery service. ...
  • Transport service on Edge Transport servers: %ExchangeInstallPath%TransportRoles\Logs\MessageTracking.
Feb 21, 2023

How do I monitor my mailbox in Office 365? ›

How to monitor employee emails in Microsoft 365
  1. Navigate to the Reports tab.
  2. Go to the Exchange Online list in the left pane.
  3. Select Mail Traffic Reports > Email Activity by User or any other report as per your requirement.
  4. Enter the Tenant,Domain,and Period of search.
  5. Click Generate Now.

How do I turn on mailbox auditing in Office 365? ›

Enable auditing
  1. Open the Security & Compliance Center.
  2. Click Search & Investigation -> Click Audit log search -> Click Start recording user and admin activity.

How can I see who has access to my mailbox? ›

To check who has delegation access in the new outlook for windows, you can right click on the email account in the left navigation pane >Sharing and permissions. ->In the permissions box, this will show the users who have delegate access to your mailbox. In case you have any further queries, please let me know.

How do I check my Exchange email logs? ›

You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell to search for entries in the message tracking log by using specific search criteria. For example: Find out what happened to a message that was sent by a user to a specific recipient.

How do I check my mailbox permissions in Outlook? ›

To check who has delegation access in the new outlook for windows, you can right click on the email account in the left navigation pane >Sharing and permissions.

How do I check my mailbox usage in Office 365 admin? ›

How to get to the mailbox usage report
  1. Go to the Office 365 admin center > Reports.
  2. Select Mailbox usage from the drop down.

Where is manage mailbox permissions Office 365? ›

Modifying Access to a Shared Mailbox Folder

Right-click on Inbox and select Properties…. Select the Permissions tab. Select the individual you wish to modify. Use the Permissions Level: drop down to select the level of access they should have.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Prof. An Powlowski

Last Updated:

Views: 5895

Rating: 4.3 / 5 (64 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.