Share via

Export Mailbox Audit Logs

  • Article

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log whenever a user other than the owner accesses the mailbox. Each log entry includes information about who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine if a user other than the owner has accessed a mailbox.

When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and attaches it to an e-mail message sent to the specified recipients.

This topic explains the following:

  • Configure mailbox audit logging
  • Export the mailbox audit log
  • View the mailbox audit log

Configure mailbox audit logging

You have to enable mailbox audit logging on each mailbox that you want to audit before you can export and view mailbox audit logs. You also have to configure Outlook Web App to allow XML attachments.

Enable mailbox audit logging

You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results for it when export the mailbox audit log.

To enable mailbox audit logging for a single mailbox, run the following PowerShell command:

Set-Mailbox <Identity> -AuditEnabled $true

To enable mailbox auditing for all user mailboxes in your organization, run the following commands:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Configure Outlook Web App to allow XML attachments

When you export the mailbox audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an e-mail message. However, Outlook Web App blocks XML attachments by default. You have to configure Outlook Web App to allow XML attachments so that you can access the exported audit log.

Run the following command to allow XML attachments in Outlook Web App:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'

Export the mailbox audit log

  1. Select Manage My Organization > Roles & Auditing > Auditing.
  2. Click Export the mailbox audit log.
  3. Configure the following search criteria for exporting the entries from the mailbox audit log:
    • Start and end dates   Select the date range for the entries to include in the exported file.
    • Mailboxes to search audit log for   Select the mailboxes to retrieve audit log entries for.
    • Type of non-owner access   Select one of the following options to define the type of non-owner access to retrieve entries for:
      • All non-owners   Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators.
      • External users   Search for access by Microsoft datacenter administrators.
      • Administrators and delegated users   Search for access by administrators and delegated users inside your organization.
      • Administrators   Search for access by administrators in your organization.
    • Recipients   Select the users to send the mailbox audit log to.
  4. Click Export.
    Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an e-mail message sent to the recipients that you specified.
  5. Click Export.
    Microsoft Exchange retrieves entries in the administrator audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an e-mail message sent to the recipients that you specified.

Note To access and run any of the reports on the Auditing Reports tab in the Exchange Control Panel, a user has to be assigned the necessary permissions. For more information, see the "Give users access to Auditing Reports" section of Use Auditing Reports in Exchange Online.

View the mailbox audit log

To open or save the SearchResult.xml file:

  1. Sign in to the mailbox where the mailbox audit log was sent.
  2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the e-mail message contains the search criteria.
  3. Click the attachment and select to open or save the XML file.

Entries in the mailbox audit log

The following example shows an entry from the mailbox audit log contained in the SearchResult.xml file. Each entry is preceded by the <Event> XML tag and ends with the </Event> XML tag. This entry shows that the administrator purged the message with the subject, "Notification of litigation hold" from the Recoverable Items folder in tamaraj's mailbox on April 30, 2010.

<Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939" 
  Owner="PPLNSL-dom\tamaraj50001-1363917750" 
  LastAccessed="2010-04-30T11:01:55.140625-07:00" 
  Operation="HardDelete" 
  OperationResult="Succeeded" 
  LogonType="Admin"
 FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
  FolderPathName="\Recoverable Items\Deletions"
  ClientInfoString="Client=OWA;Action=ViaProxy" 
  ClientIPAddress="10.196.241.168" 
  InternalLogonType="Owner"
  MailboxOwnerUPN=tamaraj@contoso.com
  MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151" 
  CrossMailboxOperation="false" 
  LogonUserDN="Administrator"
  LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
  <SourceItems>
   <ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C317F68C24304BBD18ABE1F185E79B00000026BD540"
    Subject="Notification of litigation hold"
    FolderPathName="\Recoverable Items\Deletions" /> 
  </SourceItems>
</Event>

Useful fields in the mailbox audit log

Watch for these fields. They can help you identify specific information about each instance of non-owner access of a mailbox.

Field Description

Owner

The owner of the mailbox that was accessed by a non-owner.

LastAccessed

The date and time when the mailbox was accessed.

Operation

The action that was performed by the non-owner. For more information, see the " What gets logged in the mailbox audit log?" section in Run a Non-Owner Mailbox Access Report

OperationResult

Whether the action performed by the non-owner succeeded or failed.

LogonType

The type of non-owner access. These include administrator, delegate, and external.

FolderPathName

The name of the folder that contained the message that was affected by the non-owner.

ClientInfoString

Information about the mail client used by the non-owner to access the mailbox.

ClientIPAddress

The IP address of the computer used by the non-owner to access the mailbox.

InternalLogonType

The logon type of the account used by the non-owner to access this mailbox.

MailboxOwnerUPN

The e-mail address of the mailbox owner.

LogonUserDN

The display name of the non-owner.

Subject

The subject line of the e-mail message that was affected by the non-owner.