April 4, 2019

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

You May Also Like…