Skip to content

Prerequisites

Make sure your system fits the description below before starting the installation.

Permissions

The Office365 Exchange Online service uses a similar permission model as the equivalent Exchange On-Premises.

Exchange Online requires an Azure application to be created.

Activity Monitoring

By default, auditing is enabled for all new mailboxes with many mailbox event types already enabled. To see a list of all Owner, Delegate, and Admin event types, refer to the Configuring Activity Monitoring section.

Specific Mailbox Auditing Configuration

If needing to capture additional event types, complete the actions described in the sections below.

Warning

Each event type will need to be added per mailbox.

Exchange Online PowerShell Module

This section contains some powershell scripts that can be used to modify your mailbox auditing configuration. To run these commands, you must use the Exchange powershell module. To install on local computer, run:

Install-Module -Name 'ExchangeOnlineManagement' -RequiredVersion 3.4.0

To use the module without installing it, run the following commands:

mkdir Modules

Save-Module -Name ExchangeOnlineManagement -RequiredVersion 3.4.0 -Path .\Modules\ Import-Module -Name .\Modules\ExchangeOnlineManagement\

Resetting Mailbox Auditing Configuration Defaults

If you feel that your mailbox auditing configuration may have been altered and you want to reset all mailboxes to their default configuration and ensure they are all enabled, run the following powershell script:

Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox,SharedMailbox | Select-Object UserPrincipalName | Foreach-Object { Set-Mailbox -Identity "$($_.UserPrincipalName)" -AuditEnabled $true -DefaultAuditSet Owner,Delegate,Admin }

Modifying Mailbox Event Types to Audit

To add additional event types to audit, such as those that are not enabled by default, use the add syntax with Set-Mailbox. For example, the following script adds several event types for every mailbox that are not enabled by default:

Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox,SharedMailbox

Select-Object UserPrincipalName | Foreach-Object {

Set-Mailbox -Identity "$($_.UserPrincipalName)" -AuditOwner @{add="AddFolderPermissions","MailboxLogin","RemoveFolderPermissions"} -AuditDelegate @{add="AddFolderPermissions","Move","RecordDelete","RemoveFolderPermissions"} -AuditAdmin @{add="AddFolderPermissions","RecordDelete","RemoveFolderPermissions"}

}

To remove event types from being audited, use the same command, but with the remove instead of add. For example, the following script removes the event “UpdateInboxRules” from being audited:

Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox,SharedMailbox

Select-Object UserPrincipalName | Foreach-Object { Set-Mailbox -Identity "$($_.UserPrincipalName)" -AuditOwner @{remove="UpdateInboxRules"} -AuditDelegate @{remove="UpdateInboxRules"} -AuditAdmin @{remove="UpdateInboxRules"}

}

Configuration for New Mailboxes

Newly created mailboxes will have the default Microsoft auditing configuration. If you are modifying the mailbox event types, then you need to onboard new mailboxes in the same way.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.