fbpx

Enable mailbox auditing on all users for all Office 365 customer tenants

Enable mailbox auditing on all users for all Office 365 customer tenants

To increase your Office 365 security score, it’s recommended that you enable mailbox auditing for all users. This isn’t switched on by default, however it’s very easy to apply using PowerShell.
Mailbox auditing allows you to track actions that users take within their own and other’s mailboxes. Using this feature, you can search the Office 365 Unified Audit logs by mailbox actions and the users that performed them. You can also set up alerts and receive notifications when a user permanently deletes mail, or sends as another user.

As well as mailbox auditing, we also recommend you enable the Unified Audit Log for your organisation(s). Here’s our guide on how to configure this.

How to enable Office 365 Mailbox Auditing for a single Office 365 tenant

If you’re just managing a single Office 365 tenant, you can connect to Exchange Online via Powershell and run this simple script.

  1. Connect to Exchange Online via PowerShell. See this quick guide for info on how to set this up.
  2. Run the following cmdlet: 
    Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin,HardDelete,SoftDelete,Update,Move -AuditDelegate SendOnBehalf,MoveToDeletedItems,Move -AuditAdmin Copy,MessageBind

How to enable Office 365 Mailbox Auditing for all Office 365 customer tenants

If you’re an IT partner managing a number of Office 365 organisations with delegated administration, you can enable mailbox auditing for all your customers’ users in one go.

Run this script using Visual Studio Code or PowerShell ISE. When prompted, sign in with the credentials of a user which has delegated administration access to your customers’ Office 365 tenants.

$ScriptBlock = {Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin, HardDelete, SoftDelete, Update, Move -AuditDelegate SendOnBehalf, MoveToDeletedItems, Move -AuditAdmin Copy, MessageBind}

# Establish a PowerShell session with Office 365. You'll be prompted for your Delegated Admin credentials

$Cred = Get-Credential
Connect-MsolService -Credential $Cred 
$customers = Get-MsolPartnerContract -All
Write-Host "Found $($customers.Count) customers for this Partner."

foreach ($customer in $customers) { 

    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial -eq $true}
    Write-Host "Enabling Mailbox Auditing for $($Customer.Name)"
    $DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    Invoke-Command -ConnectionUri $DelegatedOrgURL -Credential $Cred -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection -ScriptBlock $ScriptBlock -HideComputerName
}

Enable Mailbox Auditing in Office 365 via PowerShell

How to enable Office 365 Mailbox Auditing for all Office 365 customer tenants with Azure Functions

You can also ensure that all future mailboxes have Mailbox auditing switched on every day using an Azure Function running in the cloud.

Use this guide to set up an Azure Function that connects to Office 365 using the MSOnline Powershell Module.

  • Set it to run once a day using the following timer trigger: 
    0 0 12 * * *
  • Make sure that you’ve set up the encrypted credentials for your delegated admin user, and the MSOnline PowerShell module as per the above guide.
  • Name your function EnableMailboxAuditing, or update the code below to refer to the new name.

Replace the function code with the following:

Write-Output "PowerShell Timer trigger function executed at:$(get-date)";

$FunctionName = 'EnableMailboxAuditing'
$ModuleName = 'MSOnline'
$ModuleVersion = '1.1.166.0'
$username = $Env:user
$pw = $Env:password
#import PS module
$PSModulePath = "D:\home\site\wwwroot\$FunctionName\bin\$ModuleName\$ModuleVersion\$ModuleName.psd1"
$res = "D:\home\site\wwwroot\$FunctionName\bin"

Import-module $PSModulePath
 
# Build Credentials
$keypath = "D:\home\site\wwwroot\$FunctionName\bin\keys\PassEncryptKey.key"
$secpassword = $pw | ConvertTo-SecureString -Key (Get-Content $keypath)
$credential = New-Object System.Management.Automation.PSCredential ($username, $secpassword)
 
# Connect to MSOnline
 
Connect-MsolService -Credential $credential

$ScriptBlock = {Get-Mailbox | Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin, HardDelete, SoftDelete, Update, Move -AuditDelegate SendOnBehalf, MoveToDeletedItems, Move -AuditAdmin Copy, MessageBind}

$customers = Get-MsolPartnerContract -All
Write-Output "Found $($customers.Count) customers for this Partner."

foreach ($customer in $customers) { 

    $InitialDomain = Get-MsolDomain -TenantId $customer.TenantId | Where-Object {$_.IsInitial -eq $true}
    Write-Output "Enabling Mailbox Auditing for $($Customer.Name)"
    $DelegatedOrgURL = "https://ps.outlook.com/powershell-liveid?DelegatedOrg=" + $InitialDomain.Name
    Invoke-Command -ConnectionUri $DelegatedOrgURL -Credential $credential -Authentication Basic -ConfigurationName Microsoft.Exchange -AllowRedirection -ScriptBlock $ScriptBlock -HideComputerName
}
Was this article helpful?
Yes No

About The Author

Elliot Munro
Need additional help? Want to be across Microsoft 365 updates and GCITS articles when they're released? Connect with Elliot Munro on LinkedIn here. If you have an Office 365 or Azure issue that you'd like us to take a look at (or have a request for a useful script) send Elliot an email at [email protected]

Related Articles

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

Need Support?

Can't find the answer you're looking for?
Contact Support
Stop SendGrid emails from going to junk for your Office 365 users Set up a quick connection to the Office 365 Security & Compliance Center...