管理邮箱审核Manage mailbox auditing

从 2019 年 1 月开始,Microsoft 将默认启用所有组织的邮箱审核日志记录。Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. 这意味着自动记录由邮箱所有者、代理和管理员执行的某些操作,当您在邮箱邮箱中搜索相应的邮箱审核记录时,这些记录审核日志。This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. 默认情况下,在启用邮箱审核之前,您必须为组织的每个用户邮箱手动启用它。Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization.

默认情况下,邮箱审核的一些好处是:Here are some benefits of mailbox auditing on by default:

  • 创建新邮箱时将自动启用审核。Auditing is automatically enabled when you create a new mailbox. 无需为新用户手动启用它。You don't need to manually enable it for new users.

  • 无需管理审核的邮箱操作。You don't need to manage the mailbox actions that are audited. 默认情况下,会针对管理员、代理和所有者帐户的每个登录类型审核 (一组预定义的邮箱) 。A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).

  • 当 Microsoft 发布新的邮箱操作时,该操作可能会自动添加到默认审核的邮箱操作列表中 (用户拥有相应的许可证) 。When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). 这意味着无需监视对邮箱添加新操作。This means you don't need to monitor add new actions on mailboxes.

  • 由于要审核组织中所有邮箱的相同操作,因此 (组织中具有一致的邮箱审核) 。You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes).

备注

  • 默认情况下,关于发布邮箱审核时要记住的重要一点是:无需执行任何操作来管理邮箱审核。The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. 但是,若要了解更多信息、从默认设置自定义邮箱审核或完全关闭邮箱审核,本主题可以帮助您。However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this topic can help you.
  • 默认情况下,只有 E5 用户的邮箱审核事件在安全 审核日志 合规中心或 Office 365 管理活动 API 的 & 搜索中可用。By default, only mailbox audit events for E5 users are available in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. 有关详细信息,请参阅本主题 中的 "详细信息"部分。For more information, see the More information section in this topic.

验证邮箱审核默认是否打开Verify mailbox auditing on by default is turned on

若要验证默认情况下是否为组织启用邮箱审核,请运行 Exchange Online PowerShell中的以下命令:To verify that mailbox auditing on by default is turned on for your organization, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig | Format-List AuditDisabled

False 表示默认情况下为组织启用邮箱审核。The value False indicates that mailbox auditing on by default is enabled for the organization. 默认情况下,组织值会覆盖特定邮箱上的邮箱审核设置。This on by default organizational value overrides the mailbox auditing setting on specific mailboxes. 例如,如果禁用邮箱 (则邮箱) 的 AuditEnabled 属性为 False, 则仍将审核邮箱的默认邮箱操作,因为默认情况下会为组织启用邮箱审核。For example, if mailbox auditing is disabled for a mailbox (the AuditEnabled property is False on the mailbox), the default mailbox actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the organization.

若要为特定邮箱禁用邮箱审核,请为邮箱所有者和已委派邮箱访问权限的其他用户配置邮箱审核绕过。To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. 有关详细信息,请参阅本主题中的 "绕过邮箱审核日志记录 "部分。For more information, see the Bypass mailbox audit logging section in this topic.

备注

当默认情况下为组织启用邮箱审核时,受影响邮箱的 AuditEnabled 属性不会从 False 更改为 True。When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. 换句话说,默认情况下启用的邮箱审核将忽略邮箱上的 AuditEnabled 属性。In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

支持的邮箱类型Supported mailbox types

下表显示了默认情况下邮箱审核当前支持的邮箱类型:The following table shows the mailbox types that are currently supported by mailbox auditing on by default:

邮箱类型Mailbox type 支持Supported 不支持Not supported
用户邮箱User mailboxes 复选标记
共享邮箱Shared mailboxes 复选标记
Microsoft 365 组邮箱Microsoft 365 Group mailboxes 复选标记
资源邮箱Resource mailboxes 复选标记
公用文件夹邮箱Public folder mailboxes 复选标记

登录类型和邮箱操作Logon types and mailbox actions

登录类型对对邮箱执行审核操作的用户进行分类。Logon types classify the user that did the audited actions on the mailbox. 以下列表描述了邮箱审核日志记录中使用的登录类型:The following list describes the logon types that are used in mailbox audit logging:

  • 所有者:邮箱 (与邮箱邮箱关联的帐户) 。Owner: The mailbox owner (the account that's associated with the mailbox).

  • 委派Delegate:

    • 已分配有对另一个邮箱的 SendAs、SendOnBehalf 或 FullAccess 权限的用户。A user who's been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.

    • 已分配有用户邮箱的 FullAccess 权限的管理员。An admin who's been assigned the FullAccess permission to a user's mailbox.

  • 管理员Admin:

    • 使用下列 Microsoft 电子数据展示工具之一搜索邮箱:The mailbox is searched with one of the following Microsoft eDiscovery tools:

      • 合规性中心的内容搜索。Content Search in the Compliance center.

      • 合规性中心中的电子数据展示或高级电子数据展示。eDiscovery or Advanced eDiscovery in the Compliance center.

      • In-Place Exchange Online 中的电子数据展示。In-Place eDiscovery in Exchange Online.

    • 通过使用 MAPI 编辑器Microsoft Exchange Server邮箱。The mailbox is accessed by using the Microsoft Exchange Server MAPI Editor.

用户邮箱和共享邮箱的邮箱操作Mailbox actions for user mailboxes and shared mailboxes

下表描述了在用户邮箱和共享邮箱的邮箱审核日志记录中可用的邮箱操作。The following table describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes.

  • 复选标记 (A check mark ( 复选标记) 指示可以针对登录类型记录邮箱操作 (并非所有操作都可用于所有登录类型) 。) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).

  • 在选中 () ,默认情况下会记录登录类型的邮箱操作后,使用星号 *An asterisk ( * ) after the check mark indicates the mailbox action is logged by default for the logon type.

  • 请记住,对邮箱具有完全访问权限的管理员被视为代理。Remember, an admin with Full Access permission to a mailbox is considered a delegate.

邮箱操作Mailbox action 说明Description 管理员Admin 委派用户Delegate 所有者Owner
AddFolderPermissionsAddFolderPermissions 注意:尽管此值被接受为邮箱操作,但它已包含在 UpdateFolderPermissions 操作中,并且不会单独审核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 换句话说,请勿使用此值。In other words, don't use this value.
ApplyRecordApplyRecord 项目标记为记录。An item is labeled as a record. 复选标记 复选标记 复选标记
复制Copy 已将某个邮件复制到另一个文件夹。A message was copied to another folder. 复选标记
创建Create 在邮箱邮箱的"日历"、"联系人"、"便笺"或"任务"文件夹中创建了 (例如,会创建一个新的会议) 。An item was created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). 不会审核邮件的创建、发送或接收。Creating, sending, or receiving a message isn't audited. 也不会审核邮箱文件夹的创建。Also, creating a mailbox folder is not audited. 复选标记*Check mark* 复选标记*Check mark* 复选标记
默认Default 复选标记 复选标记 复选标记
FolderBindFolderBind 已访问某个邮箱文件夹。A mailbox folder was accessed. 管理员或代理打开邮箱时也会记录此操作。This action is also logged when the admin or delegate opens the mailbox.

注意:合并由代理执行的文件夹绑定操作审核记录。Note: Audit records for folder bind actions performed by delegates are consolidated. 在 24 小时内为单个文件夹访问生成一条审核记录。One audit record is generated for individual folder access within a 24-hour period.
复选标记 复选标记
HardDeleteHardDelete 已将某个邮件从"已恢复邮件"文件夹中清除。A message was purged from the Recoverable Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
MailItemsAccessedMailItemsAccessed 邮件协议和客户端访问邮件数据。Mail data is accessed by mail protocols and clients. 此值仅适用于 E5 或 E5 合规性附加订阅用户。This value is only available for E5 or E5 Compliance add-on subscription users. 有关详细信息,请参阅 访问关键事件进行调查For details, see Access to crucial events for investigations. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
MailboxLoginMailboxLogin 用户登录到其邮箱。The user signed into their mailbox. 复选标记
MessageBindMessageBind 邮件在预览窗格中查看或由管理员打开。注意:尽管此值被接受为邮箱操作,但不再记录这些操作。A message was viewed in the preview pane or opened by an admin. Note: Although this value is accepted as a mailbox action, these actions are no longer logged. 复选标记
ModifyFolderPermissionsModifyFolderPermissions 注意:尽管此值被接受为邮箱操作,但它已包含在 UpdateFolderPermissions 操作中,并且不会单独审核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 换句话说,请勿使用此值。In other words, don't use this value.
移动Move 已将某个邮件移至另一个文件夹。A message was moved to another folder. 复选标记 复选标记 复选标记
MoveToDeletedItemsMoveToDeletedItems 已删除邮件,并已将其移动到“已删除邮件”文件夹。A message was deleted and moved to the Deleted Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
RecordDeleteRecordDelete 标记为记录的项目被软删除, ("可恢复的项目"文件夹) 。An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). 从"可恢复的项目"文件夹 (无法永久删除标记为记录) 。Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder). 复选标记 复选标记 复选标记
RemoveFolderPermissionsRemoveFolderPermissions 注意:尽管此值被接受为邮箱操作,但它已包含在 UpdateFolderPermissions 操作中,并且不会单独审核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 换句话说,请勿使用此值。In other words, don't use this value.
SendSend 用户发送电子邮件、答复电子邮件或转发电子邮件。The user sends an email message, replies to an email message, or forwards an email message. 此值仅适用于 E5 或 E5 合规性附加订阅用户。This value is only available for E5 or E5 Compliance add-on subscription users. 有关详细信息,请参阅 访问关键事件进行调查For details, see Access to crucial events for investigations. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
SendAsSendAs 已使用“发送方式”权限发送邮件。A message was sent using the SendAs permission. 这表示另一个用户发送了邮件,而该邮件就好像来自于邮箱所有者。This means another user sent the message as though it came from the mailbox owner. 复选标记*Check mark* 复选标记*Check mark*
SendOnBehalfSendOnBehalf 已使用“代表发送”权限发送邮件。A message was sent using the SendOnBehalf permission. 这表示另一个用户代表邮箱所有者发送了邮件。This means another user sent the message on behalf of the mailbox owner. 邮件将向收件人说明发送此邮件时使用的身份及实际发送者。The message indicates to the recipient who the message was sent on behalf of and who actually sent the message. 复选标记*Check mark* 复选标记*Check mark*
SoftDeleteSoftDelete 已永久删除或已从“已删除邮件”文件夹中删除邮件。A message was permanently deleted or deleted from the Deleted Items folder. 软删除的项目将移动到"可恢复的项目"文件夹。Soft-deleted items are moved to the Recoverable Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
更新Update 已更改邮件或其属性。A message or its properties was changed. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
UpdateCalendarDelegationUpdateCalendarDelegation 日历委派已分配给邮箱。A calendar delegation was assigned to a mailbox. 日历代理为同一组织内的其他人授予管理邮箱所有者日历的权限。Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar. 复选标记*Check mark* 复选标记*Check mark*
UpdateComplianceTagUpdateComplianceTag 不同的保留标签应用于邮件项目 (一个项目只能分配有一个保留标签) 。A different retention label is applied to a mail item (an item can only have one retention label assigned to it). 复选标记 复选标记 复选标记
UpdateFolderPermissionsUpdateFolderPermissions 文件夹权限已更改。A folder permission was changed. 文件夹权限用于控制组织中的哪些用户可以访问邮箱中的文件夹以及位于这些文件夹中的邮件。Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
UpdateInboxRulesUpdateInboxRules 已添加、删除或已更改收件箱规则。An inbox rule was added, removed, or changed. 收件箱规则用于根据指定条件处理用户收件箱中的邮件,在满足规则条件时采取措施,例如将邮件移动到指定文件夹或删除邮件。Inbox rules are used to process messages in the user's Inbox based on the specified conditions and take actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*

重要

如果在组织中默认启用邮箱审核之前自定义了要审核的任何登录类型的邮箱操作,则自定义设置将保留在邮箱上,并且不会覆盖默认邮箱操作,如本节中所述。If you customized the mailbox actions to audit for any logon type before mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. 若要将审核邮箱操作还原到默认值 (您随时都可以) ,请参阅本主题稍后的"还原默认邮箱操作"部分。 To revert the audit mailbox actions to their default values (which you can do at any time), see the Restore the default mailbox actions section later in this topic.

Microsoft 365 组邮箱的邮箱操作Mailbox actions for Microsoft 365 Group mailboxes

默认情况下启用的邮箱审核将邮箱审核日志记录引入 Microsoft 365 组邮箱,但无法自定义所记录的内容 (无法添加或删除为任何登录类型) 记录的邮箱操作。Mailbox auditing on by default brings mailbox audit logging to Microsoft 365 Group mailboxes, but you can't customize what's being logged (you can't add or remove mailbox actions that are logged for any logon type).

下表介绍了每个登录类型的 Microsoft 365 组邮箱上默认记录的邮箱操作。The following table describes the mailbox actions that are logged by default on Microsoft 365 Group mailboxes for each logon type.

请记住,对 Microsoft 365 组邮箱具有完全访问权限的管理员将被视为代理。Remember, an admin with Full Access permission to a Microsoft 365 Group mailbox is considered a delegate.

邮箱操作Mailbox action 说明Description 管理员Admin 委派用户Delegate 所有者Owner
创建Create 创建日历项目。Creation of a calendar Item. 不会审核邮件的创建、发送或接收。Creating, sending, or receiving a message isn't audited. 复选标记*Check mark* 复选标记*Check mark*
HardDeleteHardDelete 已将某个邮件从"已恢复邮件"文件夹中清除。A message was purged from the Recoverable Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
MoveToDeletedItemsMoveToDeletedItems 已删除邮件,并已将其移动到“已删除邮件”文件夹。A message was deleted and moved to the Deleted Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
SendAsSendAs 已使用“发送方式”权限发送邮件。A message was sent using the SendAs permission. 复选标记*Check mark* 复选标记*Check mark*
SendOnBehalfSendOnBehalf 已使用“代表发送”权限发送邮件。A message was sent using the SendOnBehalf permission. 复选标记*Check mark* 复选标记*Check mark*
SoftDeleteSoftDelete 已永久删除或已从“已删除邮件”文件夹中删除邮件。A message was permanently deleted or deleted from the Deleted Items folder. 软删除的项目将移动到"可恢复的项目"文件夹。Soft-deleted items are moved to the Recoverable Items folder. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*
更新Update 已更改邮件或其属性。A message or its properties was changed. 复选标记*Check mark* 复选标记*Check mark* 复选标记*Check mark*

验证是否正在针对每种登录类型记录默认邮箱操作Verify that default mailbox actions are being logged for each logon type

默认情况下启用的邮箱审核会向所有邮箱添加新 的 DefaultAuditSet 属性。Mailbox auditing on by defaults adds a new DefaultAuditSet property to all mailboxes. 此属性的值指示是否正在审核由 Microsoft (管理的默认) 操作。The value of this property indicates whether the default mailbox actions (managed by Microsoft) are being audited on the mailbox.

若要在用户邮箱或共享邮箱上显示值,请替换为邮箱的名称、别名、电子邮件地址或用户主体名称 (用户名) ,然后运行 Exchange Online PowerShell 中的以下 <MailboxIdentity> 命令:To display the value on user mailboxes or shared mailboxes, replace <MailboxIdentity> with the name, alias, email address, or user principal name (username) of the mailbox and run the following command in Exchange Online PowerShell:

Get-Mailbox -Identity <MailboxIdentity> | Format-List DefaultAuditSet

若要在 Microsoft 365 组邮箱上显示值,请替换为共享邮箱的名称、别名或电子邮件地址,然后运行 Exchange Online PowerShell 中的以下 <MailboxIdentity> 命令:To display the value on Microsoft 365 group mailboxes, replace <MailboxIdentity> with the name, alias, or email address of the shared mailbox and run the following command in Exchange Online PowerShell:

Get-Mailbox -Identity <MailboxIdentity> -GroupMailbox | Format-List DefaultAuditSet

Admin, Delegate, Owner 指示:The value Admin, Delegate, Owner indicates:

  • 将审核所有三种登录类型的默认邮箱操作。The default mailbox actions for all three logon types are being audited. 这是你将在 Microsoft 365 组邮箱上看到的唯一值。This is the only value you'll see on Microsoft 365 Group mailboxes.

  • 管理员 未更改 用户邮箱或共享邮箱上任何登录类型的审核邮箱操作。An admin has not changed the audited mailbox actions for any logon type on a user mailbox or a shared mailbox. 请注意,这是默认情况下在组织中启用邮箱审核后的默认状态。Note this is the default state after mailbox auditing on by default is initially turned on in your organization.

如果管理员曾经使用 Set-Mailbox cmdlet) 上的 AuditAdmin、AuditDelegateAuditOwner 参数更改了审核登录类型 (的邮箱操作,属性值将有所不同。 If an admin has ever changed the mailbox actions that are audited for a logon type (by using the AuditAdmin, AuditDelegate, or AuditOwner parameters on the Set-Mailbox cmdlet), the property value will be different.

例如,用户 Owner 邮箱或共享邮箱 的 DefaultAuditSet 属性的值指示:For example, the value Owner for the DefaultAuditSet property on a user mailbox or shared mailbox indicates:

  • 正在审核邮箱所有者的默认邮箱操作。The default mailbox actions for the mailbox owner are being audited.

  • 已根据默认操作更改了对 DelegateAdmin 登录类型的审核邮箱操作。The audited mailbox actions for the Delegate and Admin logon types have been changed from the default actions.

DefaultAuditSet 属性的空值指示用户邮箱或共享邮箱上所有三种登录类型的邮箱操作已更改。A blank value for the DefaultAuditSet property indicates the mailbox actions for all three logon types have been changed on the user mailbox or a shared mailbox.

有关详细信息,请参阅本主题中的"更改或还原默认记录的邮箱操作"For more information, see the Change or restore mailbox actions logged by default section in this topic

显示正在登录邮箱的邮箱操作Display the mailbox actions that are being logged on mailboxes

To see the mailbox actions that are currently being logged on user mailboxes or shared mailboxes, replace <MailboxIdentity> with the name, alias, email address, or user principal name (username) of the mailbox, and run one or more of the following commands in Exchange Online PowerShell.To see the mailbox actions that are currently being logged on user mailboxes or shared mailboxes, replace <MailboxIdentity> with the name, alias, email address, or user principal name (username) of the mailbox, and run one or more of the following commands in Exchange Online PowerShell.

备注

尽管您可以为 Microsoft 365 组邮箱将开关添加到以下 -GroupMailbox Get-Mailbox 命令,但不要认为返回的值。Although you can add the -GroupMailbox switch to the following Get-Mailbox commands for Microsoft 365 Group mailboxes, don't believe the values that are returned. 本主题前面"Microsoft 365 组邮箱的邮箱操作"部分介绍了为 Microsoft 365 组邮箱审核的默认和静态邮箱操作。The default and static mailbox actions that are audited for Microsoft 365 Group mailboxes are described in the Mailbox actions for Microsoft 365 Group mailboxes section earlier in this topic.

所有者操作Owner actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditOwner

委派操作Delegate actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditDelegate

管理员操作Admin actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditAdmin

更改或还原默认情况下记录的邮箱操作Change or restore mailbox actions logged by default

如前所述,默认情况下启用邮箱审核的主要好处之一是:无需管理审核的邮箱操作。As previously explained, one of the key benefits of having mailbox auditing on by default is: you don't need to manage the mailboxes actions that are audited. Microsoft 会这样做,我们会自动添加新的邮箱操作,这些操作在发布时默认审核。Microsoft does this for you and we'll automatically add new mailbox actions to be audited by default as they're released.

但是,您的组织可能需要审核用户邮箱和共享邮箱的不同邮箱操作集。However, your organization might be required to audit a different set of mailbox actions for user mailboxes and shared mailboxes. 本节中的过程显示如何更改针对每种登录类型审核的邮箱操作,以及如何还原回 Microsoft 管理的默认操作。The procedures in this section show you how to change the mailbox actions that are audited for each logon type, and how to revert back to the Microsoft-managed default actions.

重要

如果您使用以下过程自定义登录用户邮箱或共享邮箱的邮箱操作,Microsoft 发布的任何新的默认邮箱操作将不会在这些邮箱上自动审核。If you use the following procedures to customize the mailbox actions that are logged on user mailboxes or shared mailboxes, any new default mailbox actions released by Microsoft will not be automatically audited on those mailboxes. 需要手动将任何新邮箱操作添加到自定义操作列表中。You'll need to manually add any new mailbox actions to your customized list of actions.

更改要审核的邮箱操作Change the mailbox actions to audit

可以使用 Set-Mailbox cmdlet 上的 AuditAdmin、AuditDelegateAuditOwner 参数更改为用户邮箱和共享邮箱审核的邮箱操作 (无法自定义 Microsoft 365 组邮箱的审核操作) 。 You can use the AuditAdmin, AuditDelegate, or AuditOwner parameters on the Set-Mailbox cmdlet to change the mailbox actions that are audited for user mailboxes and shared mailboxes (audited actions for Microsoft 365 group mailboxes can't be customized).

可以使用两种不同的方法来指定邮箱操作:You can use two different methods to specify the mailbox actions:

  • 使用此 (替换) 现有邮箱操作。 action1,action2,...actionNReplace (overwrite) the existing mailbox actions by using this syntax: action1,action2,...actionN.

  • 使用此语法 添加或删除邮箱操作,而不影响其他现有 @{Add="action1","action2",..."actionN"} 值:或 @{Remove="action1","action2",..."actionN"}Add or remove mailbox actions without affecting other existing values by using this syntax: @{Add="action1","action2",..."actionN"} or @{Remove="action1","action2",..."actionN"}.

此示例通过用 SoftDelete 和 HardDelete 覆盖默认操作来更改名为"Gabriela Laureano"的邮箱的管理邮箱操作。This example changes the admin mailbox actions for the mailbox named "Gabriela Laureano" by overwriting the default actions with SoftDelete and HardDelete.

Set-Mailbox -Identity "Gabriela Laureano" -AuditAdmin HardDelete,SoftDelete

本示例将 MailboxLogin 所有者操作添加到邮箱laura@contoso.onmicrosoft.com。This example adds the MailboxLogin owner action to the mailbox laura@contoso.onmicrosoft.com.

Set-Mailbox -Identity laura@contoso.onmicrosoft.com -AuditOwner @{Add="MailboxLogin"}

此示例删除工作组讨论邮箱的 MoveToDeletedItems 委派操作。This example removes the MoveToDeletedItems delegate action for the Team Discussion mailbox.

Set-Mailbox -Identity "Team Discussion" -AuditDelegate @{Remove="MoveToDeletedItems"}

无论您使用哪种方法,自定义用户邮箱或共享邮箱上的已审核邮箱操作都会获得以下结果:Regardless of the method you use, customizing the audited mailbox actions on user mailboxes or shared mailboxes has the following results:

  • 对于自定义的登录类型,Microsoft 不再管理审核的邮箱操作。For the logon type that you customized, the audited mailbox actions are no longer managed by Microsoft.

  • 自定义的登录类型不再显示在邮箱的 DefaultAuditSet 属性值中,如 前面所述The logon type that you customized is no longer displayed in the DefaultAuditSet property value for the mailbox as previously described.

还原默认邮箱操作Restore the default mailbox actions

如果自定义了在用户邮箱或共享邮箱上审核的邮箱操作,可以使用以下语法还原一种或所有登录类型的默认邮箱操作:If you customized the mailbox actions that are audited on a user mailbox or a shared mailbox, you can restore the default mailbox actions for one or all logon types by using this syntax:

Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet <Admin | Delegate | Owner>

可以指定用逗号分隔的多个 DefaultAuditSetYou can specify multiple DefaultAuditSet values separated by commas

注意:以下过程不适用于 Microsoft 365 组邮箱 (它们仅限于此处所述的默认) 。 Note: The following procedures don't apply to Microsoft 365 Group mailboxes (they're limited to the default actions as described here).

此示例还原邮箱邮箱上所有登录类型的默认审核mark@contoso.onmicrosoft.com。This example restores the default audited mailbox actions for all logon types on the mailbox mark@contoso.onmicrosoft.com.

Set-Mailbox -Identity mark@contoso.onmicrosoft.com -DefaultAuditSet Admin,Delegate,Owner

此示例还原邮箱 chris@contoso.onmicrosoft.com 上管理员登录类型的默认审核邮箱操作,但保留代理和所有者登录类型的自定义审核邮箱操作。This example restores the default audited mailbox actions for the Admin logon type on the mailbox chris@contoso.onmicrosoft.com, but leaves the customized audited mailbox actions for the Delegate and Owner logon types.

Set-Mailbox -Identity chris@contoso.onmicrosoft.com -DefaultAuditSet Admin

还原登录类型的默认审核邮箱操作将具有以下结果:Restoring he default audited mailbox actions for a logon type has the following results:

  • 当前邮箱操作列表将替换为登录类型的默认邮箱操作。The current list of mailbox actions is replaced with the default mailbox actions for the logon type.

  • Microsoft 发布的任何新邮箱操作都会自动添加到登录类型的审核操作列表中。Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the logon type.

  • 邮箱 的 DefaultAuditSet 属性值已更新,以包括还原的登录类型。The DefaultAuditSet property value for the mailbox is updated to include the restored logon type.

默认情况下,为组织关闭邮箱审核Turn off mailbox auditing on by default for your organization

默认情况下,可以通过在 Exchange Online PowerShell 中运行以下命令来为整个组织关闭邮箱审核:You can turn off mailbox auditing on by default for your entire organization by running the following command in Exchange Online PowerShell:

Set-OrganizationConfig -AuditDisabled $true

默认情况下关闭邮箱审核具有以下结果:Turning off mailbox auditing on by default has the following results:

  • 为组织禁用邮箱审核。Mailbox auditing is disabled for your organization.

  • 在默认情况下禁用邮箱审核时,不会审核任何邮箱操作,即使对邮箱启用了审核 (邮箱的 AuditEnabled 属性为 True) 。From the time you disabled mailbox auditing on by default, no mailbox actions are audited, even if auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).

  • 未为新邮箱启用邮箱审核,并且将新邮箱或现有邮箱的 AuditEnabled 属性设置为 True 将被忽略。Mailbox auditing is not enabled for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True will be ignored.

  • 使用 Set-MailboxAuditBypassAssociation cmdlet (配置的任何邮箱审核旁路关联设置) 忽略。Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.

  • 现有邮箱审核记录将一直保留到审核日志期限到期。Existing mailbox audit records are retained until the audit log age limit for the record expires.

默认情况下打开邮箱审核Turn on mailbox auditing on by default

若要为组织重新启用邮箱审核,请运行 Exchange Online PowerShell 中的以下命令:To turn mailbox auditing back on for your organization, run the following command in Exchange Online PowerShell:

Set-OrganizationConfig -AuditDisabled $false

绕过邮箱审核日志记录Bypass mailbox audit logging

目前,当组织中默认启用邮箱审核时,无法禁用特定邮箱的邮箱审核。Currently, you can't disable mailbox auditing for specific mailboxes when mailbox auditing on by default is turned on in your organization. 例如,将 AuditEnabled 邮箱属性 设置为 False 将被忽略。For example, setting the AuditEnabled mailbox property to False is ignored.

但是,您仍可以使用 Exchange Online PowerShell 中的 Set-MailboxAuditBypassAssociation cmdlet 阻止记录指定用户的任何和所有邮箱操作,无论操作发生的位置如何。 However, you can still use the Set-MailboxAuditBypassAssociation cmdlet in Exchange Online PowerShell to prevent any and all mailbox actions by the specified users from being logged, regardless where the actions occur. 例如:For example:

  • 不会记录绕过的用户执行的邮箱所有者操作。Mailbox owner actions performed by the bypassed users aren't logged.

  • 被绕过用户在其他用户的邮箱上执行的委派 (包括未) 共享邮箱。Delegate actions performed by the bypassed users on other users' mailboxes (including shared mailboxes) aren't logged.

  • 不会记录绕过用户执行的管理员操作。Admin actions performed by the bypassed users aren't logged.

若要绕过特定用户的邮箱审核日志记录,请替换为该用户的名称、电子邮件地址、别名或用户主体名称 (<MailboxIdentity> 用户名) 并运行以下命令:To bypass mailbox audit logging for a specific user, replace <MailboxIdentity> with the name, email address, alias, or user principal name (username) of the user and run the following command:

Set-MailboxAuditBypassAssociation -Identity <MailboxIdentity> -AuditByPassEnabled $true

若要验证是否绕过指定用户的审核,请运行以下命令:To verify that auditing is bypassed for the specified user, run the following command:

Get-MailboxAuditBypassAssociation -Identity <MailboxIdentity> | Format-List AuditByPassEnabled

值为 True 表示用户绕过邮箱审核日志记录。The value True indicates that mailbox audit logging is bypassed for the user.

更多信息More information

  • 尽管默认情况下会为所有组织启用邮箱审核日志记录,但只有拥有 E5 许可证的用户才能在安全 & 合规中心或通过 Office 365管理活动 API 在 审核日志 搜索中返回邮箱 审核日志事件Although mailbox audit logging on by default is enabled for all organizations, only users with E5 licenses will return mailbox audit log events in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API by default.

    若要检索审核日志 E5 许可证的用户的邮箱邮箱条目,您可以:To retrieve mailbox audit log entries for users without E5 licenses, you can:

    • 手动启用单个邮箱的邮箱审核 (运行命令 Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true ,) 。Manually enable mailbox auditing on individual mailboxes (run the command, Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true). 完成此操作后,可以使用安全审核日志合规中心& Office 365 管理活动 API 进行搜索。After you do this, you can use audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API.

      备注

      如果邮箱审核似乎已在邮箱上启用,但您的搜索未返回任何结果,请更改 AuditEnabled 参数的值,然后再更改 $false$trueIf mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the AuditEnabled parameter to $false and then back to $true.

    • 在 Exchange Online PowerShell 中使用以下 cmdlet:Use the following cmdlets in Exchange Online PowerShell:

    • 在 Exchange Online (EAC) Exchange 管理中心执行以下操作:Use the Exchange admin center (EAC) in Exchange Online to do the following actions:

  • 默认情况下,邮箱审核日志记录在删除前保留 90 天。By default, mailbox audit log records are retained for 90 days before they're deleted. 您可以使用 Exchange Online PowerShell 中 Set-Mailbox cmdlet 审核日志 AuditLogAgeLimit 参数更改记录期限。You can change the age limit for audit log records by using the AuditLogAgeLimit parameter on the Set-Mailbox cmdlet in Exchange Online PowerShell. 但是,增加此值将不允许搜索超过 90 天的事件。审核日志。However, increasing this value doesn't allow you to search for events that are older than 90 days in the audit log.

    如果增加期限,则需要使用 Exchange Online PowerShell 中的 Search-MailboxAuditLog cmdlet 在用户的邮箱 审核日志 中搜索超过 90 天的记录。If you increase the age limit, you need to use the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell to search the user's mailbox audit log for records that are older than 90 days.

  • 如果在默认情况下为组织启用邮箱审核之前更改了邮箱的 AuditLogAgeLimit 属性,则邮箱的现有 审核日志 期限不会更改。If you've changed the AuditLogAgeLimit property for a mailbox prior to mailbox auditing on by default being turned on for organization, the mailbox's existing audit log age limit isn't changed. 换句话说,默认情况下启用的邮箱审核不会影响邮箱审核记录的当前期限。In other words, mailbox auditing on by default doesn't affect the current age limit for mailbox audit records.

  • 若要更改 Microsoft 365 组邮箱上的 AuditLogAgeLimit 值,需要在 -GroupMailbox Set-Mailbox 命令中包括该开关。To change the AuditLogAgeLimit value on a Microsoft 365 Group mailbox, you need to include the -GroupMailbox switch in the Set-Mailbox command.

  • 邮箱审核日志存储在每个用户邮箱的 ("可恢复的项目"文件夹中) "审核"子文件夹中。Mailbox audit log records are stored in a subfolder (named Audits) in the Recoverable Items folder in each user's mailbox. 对于邮箱审核记录和"可恢复的项目"文件夹,请记住以下事项:Keep the following things in mind about mailbox audit records and the Recoverable Items folder:

    • 邮箱审核记录计入"可恢复邮件"文件夹的存储配额,默认为 30GB, (警告配额为 20 GB) 。Mailbox audit records count against the storage quota of the Recoverable Items folder, which is 30GB by default (the warning quota is 20 GB). 当发生以下事件时,存储配额 (90 GB 警告配额) 达到 100 GB:The storage quota is automatically increased to 100 GB (with a 90 GB warning quota) when:

      • 将邮箱置于保留状态。A hold is placed on a mailbox.

      • 邮箱将分配给合规性中心中的保留策略。The mailbox is assigned to a retention policy in the Compliance Center.

    • 邮箱审核记录还计入"可恢复的项目"文件夹 的文件夹限制Mailbox audit records also count against the folder limit for the Recoverable Items folder. 审核记录中最多可 (300 万) "审核"子文件夹。A maximum of 3 million items (audit records) can be stored in the Audits subfolder.

      备注

      默认情况下,邮箱审核不太可能影响"可恢复的项目"文件夹的存储配额或文件夹限制。It's unlikely that mailbox auditing on by default will impact the storage quota or the folder limit for the Recoverable Items folder.

      • 您可以在 Exchange Online PowerShell 中运行以下命令,以显示"可恢复的项目"文件夹中"审核"子文件夹中的项目大小和数量:You can run the following command in Exchange Online PowerShell to display the size and number of items in the Audits subfolder in the Recoverable Items folder:

        Get-MailboxFolderStatistics -Identity <MailboxIdentity> -FolderScope RecoverableItems | Where-Object {$_.Name -eq 'Audits'} | Format-List FolderPath,FolderSize,ItemsInFolder
        
      • You can't directly access an 审核日志 record in the Recoverable Items folder;而是使用 Search-MailboxAuditLog cmdlet 或搜索审核日志查找和查看邮箱审核记录。You can't directly access an audit log record in the Recoverable Items folder; instead, you use the Search-MailboxAuditLog cmdlet or search the audit log to find and view mailbox audit records.

  • 如果邮箱处于保留状态或分配给合规中心中的保留策略,审核日志 记录在默认情况下仍保留由邮箱 的 AuditLogAgeLimit 属性定义的 (90 天) 。If a mailbox is placed on hold or assigned to a retention policy in the Compliance Center, audit log records are still retained for the duration that's defined by the mailbox's AuditLogAgeLimit property (90 days by default). 若要将审核日志保留邮箱保留更长时间,需要增加邮箱 的 AuditLogAgeLimit 值。To retain audit log records longer for mailboxes on hold, you need to increase mailbox's AuditLogAgeLimit value.

  • 在多地理位置环境中,不支持跨地理位置邮箱审核。In a multi-geo environment, cross-geo mailbox auditing is not supported. 例如,如果为某用户分配了访问其他地理位置的共享邮箱的权限,此用户执行的邮箱操作不会记录在共享邮箱的邮箱审核日志中。For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox.