Share via

Mailbox auditing

Roger Roger 7,511 Reputation points
2026-03-23T06:26:45.8166667+00:00

Hi All,

I’ve received a requirement from our security team to enable mailbox audit logging with specific actions for different sign-in types (Admin, Delegate, and Owner). Before making any changes, I’d like to review the current audit configuration in Exchange Online.

I have a few questions:

  1. How can I check the current mailbox audit settings across all mailboxes?
  2. How do I differentiate audit actions based on sign-in types:
  • Admin (non-owner access with elevated privileges)
    • Delegate (permissions like Full Access, SendAs, SendOnBehalf)
      • Owner (mailbox owner activity)
      1. Are there recommended PowerShell commands or reports to validate the existing audit actions configured for each sign-in type?

Could you please guide me on:

  • How to verify the current configuration
  • How to enable or update these audit actions if they are not already configured

Additionally, I need to ensure the following audit actions are enabled. Will enabling these generate a significant volume of logs or have any performance impact on mailboxes?

Admin Mailbox Audit: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules

Delegate Mailbox Audit: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules

Owner Mailbox Audit: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hin-V 13,215 Reputation points Microsoft External Staff Moderator
    2026-03-23T08:53:19.3433333+00:00

    Hi @Roger Roger

    I understand your concern regarding how mailbox audit logging is managed and ensured within your tenant. 

    For your concerns: 

    To check the current mailbox audit settings across all mailboxes and validate the existing audit actions configured for each sign‑in type

    You could refer to AI's suggestion. Additionally, to obtain a tenant‑wide view of the current audit configuration for all user mailboxes, you can run the following PowerShell commands and export the results to a CSV file for review. 

    Connect-ExchangeOnline 

    Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | 
Select-Object DisplayName, PrimarySmtpAddress, AuditEnabled, AuditAdmin, AuditDelegate, AuditOwner | 
Export-Csv .\MailboxAuditConfig.csv -NoTypeInformation 

    You should check the following: 

    AuditEnabled must be set to True for mailbox auditing to function. 

    The AuditAdmin, AuditDelegate, and AuditOwner parameters define which actions are logged for each sign‑in type. 

    For sign‑in types and how they are differentiated 

    Exchange Online automatically differentiates these sign‑in types in the backend: 

     User's image

    You can refer via: Manage mailbox auditing | Microsoft Learn 

    To enable and update these audit actions 

    To apply the exact long list of actions required by your security team, you must update the mailboxes manually. You can use the following script to fulfill their requirement across all user mailboxes:

    $adminActions    = "ApplyRecord,Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
$delegateActions = "ApplyRecord,Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions,UpdateInboxRules"
$ownerActions    = "ApplyRecord,HardDelete,MailItemsAccessed,MoveToDeletedItems,SoftDelete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
 
Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | 
ForEach-Object {
    Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditAdmin $adminActions -AuditDelegate $delegateActions -AuditOwner $ownerActions -AuditEnabled $true
}

    Regarding the impact on user mailboxes  

    There is no measurable impact on mailbox performance or user experience. Audit logging is processed by Exchange Online backend services. 

    Some actions, especially MailItemsAccessed, can generate higher log volumes on high‑activity mailboxes. However: 

    Logs are stored outside of the mailbox. 

    They do not consume mailbox quota. 

    This level of logging is standard and recommended for security and compliance monitoring. 

    I hope this helps. 

    Please feel free to correct me if I misunderstood your request. If you have any additional concerns, feel free to comment below. I would be more than happy to assist. 

    Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread. 

    1 person found this answer helpful.
  2. Q&A Assist
    2026-03-23T06:27:11.3766667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To verify and configure mailbox auditing per sign-in type (Admin, Delegate, Owner) in Exchange Online, use the mailbox audit properties and the Set-Mailbox cmdlet.

    1. Check current mailbox audit settings

    a. Check whether auditing is enabled

    Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
  | Select-Object DisplayName,PrimarySmtpAddress,AuditEnabled

    b. Check actions configured per sign-in type on a specific mailbox

    # Owner actions
Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditOwner

# Delegate actions
Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditDelegate

# Admin actions
Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditAdmin

    Replace <MailboxIdentity> with name, alias, email address, or UPN.

    c. Report audit actions for all mailboxes

    Example to export current configuration for review:

    Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
| Select-Object DisplayName,PrimarySmtpAddress,AuditEnabled,AuditAdmin,AuditDelegate,AuditOwner \
| Export-Csv .\MailboxAuditConfig.csv -NoTypeInformation

    This gives a tenant-wide view of which actions are configured for each sign-in type.

    1. Sign-in types and how they are differentiated

    Mailbox auditing distinguishes sign-in types as follows:

    • Owner: the mailbox owner account.
    • Delegate:
      • Users with SendAs, SendOnBehalf, or FullAccess permissions to the mailbox.
      • Admins with FullAccess to the mailbox are also treated as delegates.
    • Admin:
      • Mailbox searched via eDiscovery in Microsoft Purview or In-Place eDiscovery in Exchange Online.
      • Mailbox accessed via Microsoft Exchange Server MAPI Editor.
      • Mailbox accessed via an account using ApplicationImpersonation.

    These sign-in types map directly to the AuditAdmin, AuditDelegate, and AuditOwner properties on the mailbox.

    1. Recommended PowerShell to validate existing actions

    For a quick validation sample across all user mailboxes:

    Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
| Select-Object DisplayName,AuditAdmin,AuditDelegate,AuditOwner

    For a specific mailbox, use the Select-Object -ExpandProperty examples above to see the exact action list per sign-in type.

    1. Enable or update audit actions

    a. Enable mailbox audit logging on a single mailbox

    Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true

    b. Enable mailbox audit logging on all user mailboxes

    Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
| Select PrimarySmtpAddress \
| ForEach-Object { Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true }

    c. Configure actions per sign-in type on a mailbox

    Use the AuditAdmin, AuditDelegate, and AuditOwner parameters. Examples from the documentation:

    # Configure admin actions
Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true

# Configure delegate actions
Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true

# Configure owner actions
Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete -AuditEnabled $true

    To apply your required sets (substitute your full action lists):

    $adminActions    = "ApplyRecord,Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
$delegateActions = "ApplyRecord,Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions,UpdateInboxRules"
$ownerActions    = "ApplyRecord,HardDelete,MailItemsAccessed,MoveToDeletedItems,SoftDelete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"

Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
| ForEach-Object {
    Set-Mailbox -Identity $_.PrimarySmtpAddress \
      -AuditAdmin $adminActions \
      -AuditDelegate $delegateActions \
      -AuditOwner $ownerActions \
      -AuditEnabled $true
}

    (Adjust scope and action lists as required; the pattern is what matters.)

    1. Log volume and performance considerations

    From the Exchange Server mailbox auditing guidance:

    • When mailbox audit logging is enabled, actions for Admin, Delegate, and Owner are logged according to the configured lists.
    • Auditing of mailbox owner actions is disabled by default because it can generate a large number of audit log entries.
    • Recommendation is to enable only the specific owner actions required for business or compliance needs.

    Given that owner activity is typically much higher than admin or delegate activity, enabling many owner actions (especially high-frequency ones like Update, MoveToDeletedItems, MailItemsAccessed) will significantly increase log volume. This is why the documentation cautions that owner auditing can generate a large number of entries and should be scoped to required actions only.

    Entries are retained for 90 days by default in Exchange Server; retention and storage behavior in Exchange Online is managed by the service. The documentation does not describe a direct performance degradation on mailboxes, but the explicit warning about owner auditing volume should be treated as a signal to:

    • Limit owner actions to those strictly required.
    • Pilot the configuration on a subset of mailboxes first.
    • Monitor log volume and any operational impact.
    1. Quick verification checklist

    After configuration:

    1. Confirm auditing is enabled: 
         Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" \
   | Select DisplayName,AuditEnabled
    2. Confirm action sets: 
         Get-Mailbox -Identity <MailboxIdentity> \
   | Select-Object AuditAdmin,AuditDelegate,AuditOwner
    3. Optionally export to CSV for security team review as shown earlier.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.