Run a Non-Owner Mailbox Access Report
Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu
The Non-Owner Mailbox Access Report in the Exchange Control Panel lists the mailboxes that have been accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner, Exchange Online logs information about this action in a mailbox audit log that is stored as an e-mail message in a hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default.
This topic explains the following:
- Why would you need to know about non-owner mailbox access?
- Before you can run a mailbox auditing report
- What are the types of non-owners?
- What gets logged in the mailbox audit log?
- Run a non-owner mailbox access report
Why would you need to know about non-owner mailbox access?
- Cloud-based organizations want to ensure that their mailbox data isn't being accessed by Microsoft datacenter personnel.
- You want to enforce compliance and privacy regulations by monitoring actions performed on mailbox data by non-owners.
- You need to be prepared to provide information relevant to legal cases, such as showing the state of mailbox data at a given time, who sent e-mail from a mailbox, and if a particular person viewed mailbox data.
- You need to identify unauthorized access to mailbox data by users inside and outside your organization.
Before you can run a non-owner mailbox access report
You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled, you won't get any results when you run a report.
To enable mailbox audit logging for a single mailbox, run the following Windows PowerShell command:
Set-Mailbox <Identity> -AuditEnabled $true
For example, to enable mailbox auditing for a user named Florence Flipo, run the following command:
Set-Mailbox "Florence Flipo" -AuditEnabled $true
To enable mailbox auditing for all user mailboxes in your organization, run the following commands:
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
What are the types of non-owner access?
When you enable mailbox audit logging for a mailbox, Microsoft Exchange logs specific actions by non-owners, including both administrators and users, called delegated users, who have been assigned permissions to a mailbox. You can also narrow the search to users inside or outside your organization.
What gets logged in the mailbox audit log?
When you run a non-owner mailbox access report, entries from the mailbox audit log are displayed in the search results in the Exchange Control Panel. Each report entry contains this information:
- Who accessed the mailbox and when
- The actions performed by the non-owner
- The affected message and its folder location
- Whether the action was successful
The following table describes the types of action logged, and whether these actions are logged by default for access by administrators and for access by delegated users. If you want to track actions that aren't logged by default, you have to use Windows PowerShell to enable logging of those actions.
| Action | Description | Administrators | Delegated users |
|---|---|---|---|
Update |
A message was changed. |
Yes |
Yes |
Copy |
A message was copied to another folder. |
No |
No |
Move |
A message was moved to another folder. |
Yes |
No |
Move To Deleted Items |
A message was moved to the Deleted Items folder. |
Yes |
No |
Soft-delete |
A message was deleted from the Deleted Items folder. |
Yes |
Yes |
Hard-delete |
A message is purged from the Recoverable Items folder. For more information, see Recover Deleted Items. |
Yes |
Yes |
FolderBind |
A mailbox folder was accessed. |
Yes |
No |
Send as |
A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner. |
Yes |
Yes |
Send on behalf of |
A message is sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message. |
Yes |
No |
MessageBind |
A message is viewed in the preview pane or opened. |
No |
No |
Run a non-owner mailbox access report
- Select Manage My Organization > Roles & Auditing > Auditing.
- Click Run a non-owner mailbox access report.
Microsoft Exchange runs the report for non-owner access to any mailboxes in the organization in the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit logging. - To view non-owner access for a specific mailbox, under Search Results, select the mailbox. View the search results in the details pane.
Want to narrow the search results?
Select the start date, end date, or both, and select specific mailboxes to search. Click Search to re-run the report.
Note To access and run any of the reports on the Auditing Reports tab in the Exchange Control Panel, a user has to be assigned the necessary permissions. For more information, see the "Give users access to Auditing Reports" section of Use Auditing Reports in Exchange Online.
Search for specific types of non-owner access
You can specify the type of non-owner access, also called the logon type, to search for. Here are your options:
- All non-owners Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators.
- External users Search for access by Microsoft datacenter administrators.
- Administrators and delegated users Search for access by administrators and delegated users inside your organization.
- Administrators Search for access by administrators in your organization.