管理信箱稽核Manage mailbox auditing

從2019年1月開始,Microsoft 預設會針對所有組織開啟信箱審核記錄。Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. 這表示會自動記錄信箱擁有者、代理人和系統管理員所執行的某些動作,當您在信箱審核記錄檔中搜尋對應的信箱審核記錄時,就會提供這些記錄。This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. 在信箱審核預設為開啟狀態之前,您必須針對組織中的每個使用者信箱手動啟用它。Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization.

以下是信箱審核的一些優點:Here are some benefits of mailbox auditing on by default:

  • 當您建立新的信箱時,會自動啟用審核。Auditing is automatically enabled when you create a new mailbox. 您不需要為新使用者手動啟用它。You don't need to manually enable it for new users.

  • 您不需要管理所審核的信箱動作。You don't need to manage the mailbox actions that are audited. 預設會針對每個登入類型 (系統管理員、委派及擁有者) ,對預先定義的一組信箱動作進行審核。A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).

  • 當 Microsoft 發行新的信箱動作時,此動作可能會自動新增至預設會進行審核的信箱動作清單中 (服從具有適當授權) 的使用者。When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). 這表示您不需要在信箱上監視新增的動作。This means you don't need to monitor add new actions on mailboxes.

  • 您的組織中的信箱審核原則都是一致的 (,因為您正在審核所有信箱) 的相同動作。You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes).

注意

  • 根據預設,應記住的信箱審核版本的重要事項是:您不需要執行任何動作來管理信箱審核。The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. 不過,若要深入瞭解,請自訂信箱審核的預設設定,或完全關閉,本主題可協助您。However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this topic can help you.
  • 根據預設,只有 E5 使用者的信箱審核事件可在安全性 & 合規性中心或 Office 365 管理活動 API 中的審計記錄搜尋中取得。By default, only mailbox audit events for E5 users are available in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. 如需詳細資訊,請參閱本主題中的 詳細資訊 一節。For more information, see the More information section in this topic.

驗證預設開啟的信箱審核Verify mailbox auditing on by default is turned on

若要確認您組織的預設信箱審核已開啟,請在 Exchange Online PowerShell中執行下列命令:To verify that mailbox auditing on by default is turned on for your organization, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig | Format-List AuditDisabled

為 False 表示組織啟用預設的信箱審計。The value False indicates that mailbox auditing on by default is enabled for the organization. 依預設,組織值會覆寫特定信箱上的信箱審核設定。This on by default organizational value overrides the mailbox auditing setting on specific mailboxes. 例如,如果已停用信箱的信箱審核功能 (AuditEnabled 屬性在信箱) 上為 False ,則預設信箱動作仍會針對信箱進行審核,因為預設會為組織啟用信箱審核。For example, if mailbox auditing is disabled for a mailbox (the AuditEnabled property is False on the mailbox), the default mailbox actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the organization.

若要將特定信箱的信箱審核停用,您可以為信箱擁有人或已被委派存取信箱之其他使用者設定信箱審核旁路。To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. 如需詳細資訊,請參閱本主題中的「 略過信箱審核記錄 」一節。For more information, see the Bypass mailbox audit logging section in this topic.

注意

當組織的預設信箱審核為開啟狀態時,受影響的信箱的 AuditEnabled 屬性不會從 False 變更為 TrueWhen mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. 換句話說,依預設,信箱審核會忽略信箱上的 AuditEnabled 屬性。In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

支援的信箱類型Supported mailbox types

下表顯示預設情況下,信箱審核目前支援的信箱類型:The following table shows the mailbox types that are currently supported by mailbox auditing on by default:

信箱類型Mailbox type 支援Supported 不支援Not supported
使用者信箱User mailboxes 核取記號
共用信箱Shared mailboxes 核取記號
Microsoft 365 群組信箱Microsoft 365 Group mailboxes 核取記號
資源信箱Resource mailboxes 核取記號
公用資料夾信箱Public folder mailboxes 核取記號

登入類型和信箱動作Logon types and mailbox actions

登入類型會分類已在信箱上進行審核動作的使用者。Logon types classify the user that did the audited actions on the mailbox. 下列清單說明用於信箱審核記錄的登入類型:The following list describes the logon types that are used in mailbox audit logging:

  • 擁有 者:信箱擁有人 (與信箱) 相關聯的帳戶。Owner: The mailbox owner (the account that's associated with the mailbox).

  • 委派Delegate:

    • 已獲指派 SendAs、SendOnBehalf 或 FullAccess 許可權給另一個信箱的使用者。A user who's been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.

    • 已獲指派 FullAccess 許可權給使用者信箱的系統管理員。An admin who's been assigned the FullAccess permission to a user's mailbox.

  • 系統 管理員Admin:

    • 使用下列其中一個 Microsoft eDiscovery 工具來搜尋信箱:The mailbox is searched with one of the following Microsoft eDiscovery tools:

      • 規範中心的內容搜尋。Content Search in the Compliance center.

      • 規範中心的 eDiscovery 或 Advanced eDiscovery。eDiscovery or Advanced eDiscovery in the Compliance center.

      • 在 Exchange Online 中 In-Place eDiscovery。In-Place eDiscovery in Exchange Online.

    • 您可以使用 Microsoft Exchange Server MAPI 編輯器來存取信箱。The mailbox is accessed by using the Microsoft Exchange Server MAPI Editor.

使用者信箱和共用信箱的信箱動作Mailbox actions for user mailboxes and shared mailboxes

下表說明信箱審核記錄中的使用者信箱和共用信箱可用的信箱動作。The following table describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes.

  • 核取記號 (A check mark ( 核取記號) 表示可以記錄登入類型的信箱動作 (並非所有動作都可用於所有的登入類型) 。) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).

  • *核取記號之後的星號 ( ) 表示登入類型的預設記錄為 [信箱] 動作。An asterisk ( * ) after the check mark indicates the mailbox action is logged by default for the logon type.

  • 請記住,對信箱具有「完整存取」許可權的系統管理員會被視為代理人。Remember, an admin with Full Access permission to a mailbox is considered a delegate.

信箱動作Mailbox action 描述Description AdminAdmin 委託Delegate OwnerOwner
AddFolderPermissionsAddFolderPermissions 附注:雖然此值接受為信箱動作,但它已包含在 UpdateFolderPermissions 動作中,而且不會個別進行審核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 換句話說,請勿使用此值。In other words, don't use this value.
ApplyRecordApplyRecord 專案標示為記錄。An item is labeled as a record. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
CopyCopy 郵件已複製到另一個資料夾。A message was copied to another folder. 核取記號
CreateCreate 在 [信箱] 中的 [行事曆]、[連絡人]、[記事] 或 [任務] 資料夾中建立專案時 (例如,) 中建立新的會議邀請。An item was created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). 建立、傳送或接收郵件的動作並不會受到稽核。Creating, sending, or receiving a message isn't audited. 此外,建立信箱資料夾的動作也不會受到稽核。Also, creating a mailbox folder is not audited. 核取記號*Check mark* 核取記號*Check mark* 核取記號
預設值Default 核取記號 核取記號 核取記號
FolderBindFolderBind 已存取信箱資料夾。A mailbox folder was accessed. 當系統管理員或代理人開啟信箱時,也會記錄此動作。This action is also logged when the admin or delegate opens the mailbox.

附注:合併委派所執行之資料夾系結動作的審計記錄。Note: Audit records for folder bind actions performed by delegates are consolidated. 在24小時內,會為個別資料夾存取產生一個審計記錄。One audit record is generated for individual folder access within a 24-hour period.
核取記號 核取記號
HardDeleteHardDelete 已從 [可復原的專案] 資料夾中清除郵件。A message was purged from the Recoverable Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
MailItemsAccessedMailItemsAccessed 郵件資料是由郵件通訊協定和用戶端存取。Mail data is accessed by mail protocols and clients. 這個值只適用于 E5 或 E5 相容性附加元件訂閱使用者。This value is only available for E5 or E5 Compliance add-on subscription users. 如需詳細資訊,請參閱為 使用者設定高級審核For more information, see Set up Advanced Audit for users. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
MailboxLoginMailboxLogin 使用者已登入其信箱。The user signed into their mailbox. 核取記號
MessageBindMessageBind 在 [預覽] 窗格中查看或由系統管理員開啟的訊息。 請注意:雖然此值接受為信箱動作,但不再記錄這些動作。A message was viewed in the preview pane or opened by an admin. Note: Although this value is accepted as a mailbox action, these actions are no longer logged. 核取記號
ModifyFolderPermissionsModifyFolderPermissions 附注:雖然此值接受為信箱動作,但它已包含在 UpdateFolderPermissions 動作中,而且不會個別進行審核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 換句話說,請勿使用此值。In other words, don't use this value.
移動Move 郵件已移到另一個資料夾。A message was moved to another folder. 核取記號 核取記號 核取記號
MoveToDeletedItemsMoveToDeletedItems 郵件已遭刪除並移至 [刪除的郵件] 資料夾。A message was deleted and moved to the Deleted Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
RecordDeleteRecordDelete 已虛刪除標示為記錄的專案 (移至 [可復原的專案] 資料夾) 。An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). 無法從 [可復原的專案] 資料夾中永久刪除標示為記錄的專案 () 。Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder). 核取記號 核取記號 核取記號
RemoveFolderPermissionsRemoveFolderPermissions 附注:雖然此值接受為信箱動作,但它已包含在 UpdateFolderPermissions 動作中,而且不會個別進行審核。Note: Although this value is accepted as a mailbox action, it's already included in the UpdateFolderPermissions action and isn't audited separately. 換句話說,請勿使用此值。In other words, don't use this value.
SendSend 使用者傳送電子郵件訊息、回復電子郵件訊息或轉寄電子郵件訊息。The user sends an email message, replies to an email message, or forwards an email message. 這個值只適用于 E5 或 E5 相容性附加元件訂閱使用者。This value is only available for E5 or E5 Compliance add-on subscription users. 如需詳細資訊,請參閱為 使用者設定高級審核For more information, see Set up Advanced Audit for users. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
SendAsSendAs 已使用 [傳送為] 權限傳送郵件。A message was sent using the SendAs permission. 這表示另一位使用者已傳送郵件,就好像它來自信箱擁有者。This means another user sent the message as though it came from the mailbox owner. 核取記號*Check mark* 核取記號*Check mark*
SendOnBehalfSendOnBehalf 已使用 [代理傳送者] 權限傳送郵件。A message was sent using the SendOnBehalf permission. 這表示另一位使用者代表信箱擁有者傳送郵件。This means another user sent the message on behalf of the mailbox owner. 此郵件會向收件者指出誰代理傳送郵件,以及實際上是誰傳送郵件。The message indicates to the recipient who the message was sent on behalf of and who actually sent the message. 核取記號*Check mark* 核取記號*Check mark*
SoftDeleteSoftDelete 郵件已永久刪除或從 [刪除的郵件] 資料夾中刪除。A message was permanently deleted or deleted from the Deleted Items folder. 虛刪除的專案會移至 [可復原的專案] 資料夾。Soft-deleted items are moved to the Recoverable Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
更新Update 郵件或其屬性已變更。A message or its properties was changed. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
UpdateCalendarDelegationUpdateCalendarDelegation 已將行事曆委派指派給信箱。A calendar delegation was assigned to a mailbox. 行事曆代理可讓其他有相同組織權限的人來管理信箱擁有者的行事曆。Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar. 核取記號*Check mark* 核取記號*Check mark*
UpdateComplianceTagUpdateComplianceTag 其他保留標籤會套用至訊息項目 (專案只能將一個保留標籤指派給它) 。A different retention label is applied to a mail item (an item can only have one retention label assigned to it). 核取記號 核取記號 核取記號
UpdateFolderPermissionsUpdateFolderPermissions 資料夾權限已變更。A folder permission was changed. 資料夾權限可控制組織中的哪些使用者可以存取信箱中的資料夾,以及這些資料夾中的郵件。Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
UpdateInboxRulesUpdateInboxRules 新增、移除或變更收件匣規則。An inbox rule was added, removed, or changed. [收件匣] 規則是用來根據指定的條件處理使用者收件匣中的郵件,並在符合規則條件時採取動作,例如將郵件移至指定的資料夾或刪除郵件。Inbox rules are used to process messages in the user's Inbox based on the specified conditions and take actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*

重要

如果您自訂在組織中啟用信箱審核 之前 針對任何登入類型進行審核的信箱動作,則自訂設定會保留在信箱上,而且不會以本節所述的預設信箱動作覆寫。If you customized the mailbox actions to audit for any logon type before mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. 若要將「審核信箱」動作還原為預設值 (可在任何時間) 進行,請參閱本主題稍後的 還原預設信箱動作 一節。To revert the audit mailbox actions to their default values (which you can do at any time), see the Restore the default mailbox actions section later in this topic.

Microsoft 365 群組信箱的信箱動作Mailbox actions for Microsoft 365 Group mailboxes

信箱審核預設會將信箱審核記錄到 Microsoft 365 群組信箱,但您無法自訂要記錄的內容 (您無法新增或移除針對任何登入類型) 所記錄的信箱動作。Mailbox auditing on by default brings mailbox audit logging to Microsoft 365 Group mailboxes, but you can't customize what's being logged (you can't add or remove mailbox actions that are logged for any logon type).

下表說明每種登入類型的 Microsoft 365 群組信箱上,預設會記錄的信箱動作。The following table describes the mailbox actions that are logged by default on Microsoft 365 Group mailboxes for each logon type.

請記住,對 Microsoft 365 群組信箱具有「完整存取」許可權的系統管理員會被視為代理人。Remember, an admin with Full Access permission to a Microsoft 365 Group mailbox is considered a delegate.

信箱動作Mailbox action 描述Description AdminAdmin 委託Delegate OwnerOwner
CreateCreate 建立行事曆專案。Creation of a calendar Item. 建立、傳送或接收郵件的動作並不會受到稽核。Creating, sending, or receiving a message isn't audited. 核取記號*Check mark* 核取記號*Check mark*
HardDeleteHardDelete 已從 [可復原的專案] 資料夾中清除郵件。A message was purged from the Recoverable Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
MoveToDeletedItemsMoveToDeletedItems 郵件已遭刪除並移至 [刪除的郵件] 資料夾。A message was deleted and moved to the Deleted Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
SendAsSendAs 已使用 [傳送為] 權限傳送郵件。A message was sent using the SendAs permission. 核取記號*Check mark* 核取記號*Check mark*
SendOnBehalfSendOnBehalf 已使用 [代理傳送者] 權限傳送郵件。A message was sent using the SendOnBehalf permission. 核取記號*Check mark* 核取記號*Check mark*
SoftDeleteSoftDelete 郵件已永久刪除或從 [刪除的郵件] 資料夾中刪除。A message was permanently deleted or deleted from the Deleted Items folder. 虛刪除的專案會移至 [可復原的專案] 資料夾。Soft-deleted items are moved to the Recoverable Items folder. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*
更新Update 郵件或其屬性已變更。A message or its properties was changed. 核取記號*Check mark* 核取記號*Check mark* 核取記號*Check mark*

確認每個登入類型的預設信箱動作都會進行記錄Verify that default mailbox actions are being logged for each logon type

信箱審核的預設值會將新的 DefaultAuditSet 屬性加入至所有信箱。Mailbox auditing on by defaults adds a new DefaultAuditSet property to all mailboxes. 此屬性的值會指出是否要在信箱上審核預設的信箱動作 (由 Microsoft) 管理。The value of this property indicates whether the default mailbox actions (managed by Microsoft) are being audited on the mailbox.

若要在使用者信箱或共用信箱上顯示值,請以 <MailboxIdentity> 名稱、別名、電子郵件地址或使用者主要名稱取代, (信箱的使用者名稱) ,並在 Exchange Online 中執行下列命令 PowerShell:To display the value on user mailboxes or shared mailboxes, replace <MailboxIdentity> with the name, alias, email address, or user principal name (username) of the mailbox and run the following command in Exchange Online PowerShell:

Get-Mailbox -Identity <MailboxIdentity> | Format-List DefaultAuditSet

若要在 Microsoft 365 群組信箱上顯示值,請以 <MailboxIdentity> 共用信箱的名稱、別名或電子郵件地址取代,並在 Exchange Online 中執行下列命令 PowerShell:To display the value on Microsoft 365 group mailboxes, replace <MailboxIdentity> with the name, alias, or email address of the shared mailbox and run the following command in Exchange Online PowerShell:

Get-Mailbox -Identity <MailboxIdentity> -GroupMailbox | Format-List DefaultAuditSet

此值 Admin, Delegate, Owner 表示:The value Admin, Delegate, Owner indicates:

  • 所有三種登入類型的預設信箱動作都會進行審核。The default mailbox actions for all three logon types are being audited. 這是您可以在 Microsoft 365 群組信箱上看到的唯一值。This is the only value you'll see on Microsoft 365 Group mailboxes.

  • 管理員尚未 變更使用者信箱或共用信箱上任何登入類型的已審核信箱動作。An admin has not changed the audited mailbox actions for any logon type on a user mailbox or a shared mailbox. 附注:這是預設會在您的組織中開啟信箱審核之後的預設狀態。Note this is the default state after mailbox auditing on by default is initially turned on in your organization.

如果系統管理員曾經使用 Set-Mailbox Cmdlet) 上的 AuditAdminAuditDelegateAuditOwner 參數變更為登入 (類型所審核的信箱動作,屬性值將會不同。If an admin has ever changed the mailbox actions that are audited for a logon type (by using the AuditAdmin, AuditDelegate, or AuditOwner parameters on the Set-Mailbox cmdlet), the property value will be different.

例如, Owner 使用者信箱或共用信箱上之 DefaultAuditSet 屬性的值會指出:For example, the value Owner for the DefaultAuditSet property on a user mailbox or shared mailbox indicates:

  • 會審核信箱擁有者的預設信箱動作。The default mailbox actions for the mailbox owner are being audited.

  • 針對和登入類型所審核的信箱動作 Delegate ,已 Admin 從預設動作變更。The audited mailbox actions for the Delegate and Admin logon types have been changed from the default actions.

DefaultAuditSet 屬性的空白值表示所有三種登入類型的信箱動作都已在使用者信箱或共用信箱上變更。A blank value for the DefaultAuditSet property indicates the mailbox actions for all three logon types have been changed on the user mailbox or a shared mailbox.

如需詳細資訊,請參閱本主題中的 變更或還原依預設所記錄的信箱動作 一節。For more information, see the Change or restore mailbox actions logged by default section in this topic

顯示正在登入信箱的信箱動作Display the mailbox actions that are being logged on mailboxes

若要查看目前登入使用者信箱或共用信箱的信箱動作,請以 <MailboxIdentity> 名稱、別名、電子郵件地址或使用者主要名稱取代, (信箱的使用者名稱) ,以及在 Exchange Online PowerShell 中執行下列一或多個命令。To see the mailbox actions that are currently being logged on user mailboxes or shared mailboxes, replace <MailboxIdentity> with the name, alias, email address, or user principal name (username) of the mailbox, and run one or more of the following commands in Exchange Online PowerShell.

注意

雖然您可以將此 -GroupMailbox 開關新增至 Microsoft 365 群組信箱的下列 Get-Mailbox 命令,但不要相信傳回的值。Although you can add the -GroupMailbox switch to the following Get-Mailbox commands for Microsoft 365 Group mailboxes, don't believe the values that are returned. 在本主題稍早的 [ microsoft 365 群組信箱的信箱動作 ] 區段中,會說明針對 Microsoft 365 群組信箱所審核的預設和靜態信箱動作。The default and static mailbox actions that are audited for Microsoft 365 Group mailboxes are described in the Mailbox actions for Microsoft 365 Group mailboxes section earlier in this topic.

擁有者動作Owner actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditOwner

委派動作Delegate actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditDelegate

系統管理動作Admin actions

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditAdmin

變更或還原預設所記錄的信箱動作Change or restore mailbox actions logged by default

如先前所述,預設會啟用信箱審核的其中一個重要優點是:您不需要管理所審核的信箱動作。As previously explained, one of the key benefits of having mailbox auditing on by default is: you don't need to manage the mailboxes actions that are audited. Microsoft 會為您做這種情況,而且在發佈新的信箱動作時,系統會自動將其新增為待審計。Microsoft does this for you and we'll automatically add new mailbox actions to be audited by default as they're released.

不過,您的組織可能需要針對使用者信箱和共用信箱,審核一組不同的信箱動作。However, your organization might be required to audit a different set of mailbox actions for user mailboxes and shared mailboxes. 本節中的程式說明如何變更針對每一種登入類型所審核的信箱動作,以及如何回復至 Microsoft 受管理的預設動作。The procedures in this section show you how to change the mailbox actions that are audited for each logon type, and how to revert back to the Microsoft-managed default actions.

重要

如果您使用下列程式自訂使用者信箱或共用信箱上所記錄的信箱動作,Microsoft 所發行的任何新預設信箱動作都不會自動在這些信箱上進行審核。If you use the following procedures to customize the mailbox actions that are logged on user mailboxes or shared mailboxes, any new default mailbox actions released by Microsoft will not be automatically audited on those mailboxes. 您必須手動將任何新的信箱動作新增至自訂動作清單。You'll need to manually add any new mailbox actions to your customized list of actions.

變更要審核的信箱動作Change the mailbox actions to audit

您可以使用 Set-Mailbox Cmdlet 上的 AuditAdminAuditDelegateAuditOwner 參數,來變更針對使用者信箱和共用信箱所審核的信箱動作 (無法自訂 Microsoft 365 群組信箱的已審核動作) 。You can use the AuditAdmin, AuditDelegate, or AuditOwner parameters on the Set-Mailbox cmdlet to change the mailbox actions that are audited for user mailboxes and shared mailboxes (audited actions for Microsoft 365 group mailboxes can't be customized).

您可以使用兩種不同的方法來指定信箱動作:You can use two different methods to specify the mailbox actions:

  • 使用下列語法 取代 (覆寫) 現有的信箱動作: action1,action2,...actionNReplace (overwrite) the existing mailbox actions by using this syntax: action1,action2,...actionN.

  • 使用下列語法,新增或移除 不會影響其他現有值的信箱動作: @{Add="action1","action2",..."actionN"}@{Remove="action1","action2",..."actionN"}Add or remove mailbox actions without affecting other existing values by using this syntax: @{Add="action1","action2",..."actionN"} or @{Remove="action1","action2",..."actionN"}.

在這個範例中,會使用 SoftDelete 和 HardDelete 覆寫預設動作,以變更名為 "Gabriela Laureano" 之信箱的系統管理員信箱動作。This example changes the admin mailbox actions for the mailbox named "Gabriela Laureano" by overwriting the default actions with SoftDelete and HardDelete.

Set-Mailbox -Identity "Gabriela Laureano" -AuditAdmin HardDelete,SoftDelete

本範例會將 MailboxLogin 的擁有者動作新增至信箱 laura@contoso.onmicrosoft.com。This example adds the MailboxLogin owner action to the mailbox laura@contoso.onmicrosoft.com.

Set-Mailbox -Identity laura@contoso.onmicrosoft.com -AuditOwner @{Add="MailboxLogin"}

本範例會移除小組討論信箱的 MoveToDeletedItems 委派動作。This example removes the MoveToDeletedItems delegate action for the Team Discussion mailbox.

Set-Mailbox -Identity "Team Discussion" -AuditDelegate @{Remove="MoveToDeletedItems"}

不論使用哪一種方法,自訂使用者信箱或共用信箱上的已審核信箱動作都有下列結果:Regardless of the method you use, customizing the audited mailbox actions on user mailboxes or shared mailboxes has the following results:

  • 針對您自訂的登入類型,會不再由 Microsoft 管理已審核的信箱動作。For the logon type that you customized, the audited mailbox actions are no longer managed by Microsoft.

  • 您自訂的登入類型不再如 先前所述,顯示在信箱的 DefaultAuditSet 屬性值中。The logon type that you customized is no longer displayed in the DefaultAuditSet property value for the mailbox as previously described.

還原預設的信箱動作Restore the default mailbox actions

如果您自訂在使用者信箱或共用信箱上進行審核的信箱動作,您可以使用下列語法還原一或所有登入類型的預設信箱動作:If you customized the mailbox actions that are audited on a user mailbox or a shared mailbox, you can restore the default mailbox actions for one or all logon types by using this syntax:

Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet <Admin | Delegate | Owner>

您可以指定多個以逗號分隔的 DefaultAuditSet 值。You can specify multiple DefaultAuditSet values separated by commas

附注:下列程式不適用於 Microsoft 365 群組信箱 (預設動作限制為 下列) 所 述。Note: The following procedures don't apply to Microsoft 365 Group mailboxes (they're limited to the default actions as described here).

本範例會在信箱 mark@contoso.onmicrosoft.com 上還原所有登入類型的預設已審核信箱動作。This example restores the default audited mailbox actions for all logon types on the mailbox mark@contoso.onmicrosoft.com.

Set-Mailbox -Identity mark@contoso.onmicrosoft.com -DefaultAuditSet Admin,Delegate,Owner

此範例會還原信箱 chris@contoso.onmicrosoft.com 上系統管理員登入類型的預設已審核信箱動作,但會將委派及擁有者登入類型的自訂已審核信箱動作保留。This example restores the default audited mailbox actions for the Admin logon type on the mailbox chris@contoso.onmicrosoft.com, but leaves the customized audited mailbox actions for the Delegate and Owner logon types.

Set-Mailbox -Identity chris@contoso.onmicrosoft.com -DefaultAuditSet Admin

還原登入類型的預設已審核信箱動作具有下列結果:Restoring he default audited mailbox actions for a logon type has the following results:

  • 目前的信箱動作清單會取代為登入類型的預設信箱動作。The current list of mailbox actions is replaced with the default mailbox actions for the logon type.

  • Microsoft 所發行的任何新信箱動作都會自動新增至登入類型的已審核動作清單。Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the logon type.

  • 信箱的 DefaultAuditSet 屬性值會更新,以包含還原的登入類型。The DefaultAuditSet property value for the mailbox is updated to include the restored logon type.

針對您的組織,關閉預設的信箱審計Turn off mailbox auditing on by default for your organization

您可以在 Exchange Online 中執行下列命令,關閉整個組織的預設信箱審計 PowerShell:You can turn off mailbox auditing on by default for your entire organization by running the following command in Exchange Online PowerShell:

Set-OrganizationConfig -AuditDisabled $true

預設關閉信箱審核的結果如下:Turning off mailbox auditing on by default has the following results:

  • 您的組織已停用信箱審核。Mailbox auditing is disabled for your organization.

  • 從您已停用的信箱審核預設情況下,即使信箱上已啟用審核,也不會審核任何信箱動作 (信箱上 AuditEnabled 屬性為 True) 。From the time you disabled mailbox auditing on by default, no mailbox actions are audited, even if auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).

  • 信箱審核未啟用新信箱,並將新的或現有的信箱上的 AuditEnabled 屬性設定為 True,則會忽略此 Mailbox auditing is not enabled for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True will be ignored.

  • 會忽略任何使用 Set-MailboxAuditBypassAssociation 指令程式) 設定 (的信箱審核略過關聯設定。Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.

  • 現有的信箱審計記錄會保留,直到記錄的「審核記錄保留時間上限」到期為止。Existing mailbox audit records are retained until the audit log age limit for the record expires.

依預設開啟信箱審計Turn on mailbox auditing on by default

若要為您的組織重新啟用信箱審核,請在 Exchange Online 中執行下列命令 PowerShell:To turn mailbox auditing back on for your organization, run the following command in Exchange Online PowerShell:

Set-OrganizationConfig -AuditDisabled $false

略過信箱審核記錄Bypass mailbox audit logging

目前,當組織中的信箱審核預設為開啟狀態時,您無法停用特定信箱的信箱審核。Currently, you can't disable mailbox auditing for specific mailboxes when mailbox auditing on by default is turned on in your organization. 例如,會忽略將 AuditEnabled 信箱屬性設定為 FalseFor example, setting the AuditEnabled mailbox property to False is ignored.

不過,您仍然可以在 Exchange Online PowerShell 中使用 Set-MailboxAuditBypassAssociation 指令程式,以防止指定的使用者記錄 任何和所有 信箱動作,不論動作發生的位置為何。However, you can still use the Set-MailboxAuditBypassAssociation cmdlet in Exchange Online PowerShell to prevent any and all mailbox actions by the specified users from being logged, regardless where the actions occur. 例如:For example:

  • 未記錄略過使用者執行的信箱擁有者動作。Mailbox owner actions performed by the bypassed users aren't logged.

  • 委派由其他使用者信箱上的封鎖使用者執行的動作 (包括共用信箱) 不會登入。Delegate actions performed by the bypassed users on other users' mailboxes (including shared mailboxes) aren't logged.

  • 不會記錄略過使用者執行的系統管理員動作。Admin actions performed by the bypassed users aren't logged.

若要略過特定使用者的信箱審核記錄,請將 <MailboxIdentity> 名稱、電子郵件地址、別名或使用者主要名稱取代 (使用者的使用者名稱) ,並執行下列命令:To bypass mailbox audit logging for a specific user, replace <MailboxIdentity> with the name, email address, alias, or user principal name (username) of the user and run the following command:

Set-MailboxAuditBypassAssociation -Identity <MailboxIdentity> -AuditByPassEnabled $true

若要確認指定的使用者已略過審核,請執行下列命令:To verify that auditing is bypassed for the specified user, run the following command:

Get-MailboxAuditBypassAssociation -Identity <MailboxIdentity> | Format-List AuditByPassEnabled

為 True 表示使用者略過信箱審核記錄。The value True indicates that mailbox audit logging is bypassed for the user.

其他資訊More information

  • 雖然預設會為所有組織啟用信箱審核記錄,但只有具有 E5 授權的使用者才會在 安全性 & 合規性中心 或透過 Office 365 管理活動 API 的「 審核記錄」搜尋中,傳回信箱審核記錄事件。Although mailbox audit logging on by default is enabled for all organizations, only users with E5 licenses will return mailbox audit log events in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API by default.

    若要取得沒有 E5 授權之使用者的信箱審計記錄專案,您可以:To retrieve mailbox audit log entries for users without E5 licenses, you can:

    • 手動啟用個別信箱上的信箱審計 (執行命令,請 Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true) 。Manually enable mailbox auditing on individual mailboxes (run the command, Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true). 執行這項作業之後,您可以在安全性 & 合規性中心或透過 Office 365 管理活動 API 中使用審核記錄搜尋。After you do this, you can use audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API.

      注意

      如果信箱審核似乎已在信箱上啟用,但是您的搜尋未傳回任何結果,請將 AuditEnabled 參數的值變更為 $false 後再移回來 $trueIf mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the AuditEnabled parameter to $false and then back to $true.

    • 在 Exchange Online 中使用下列 Cmdlet PowerShell:Use the following cmdlets in Exchange Online PowerShell:

    • 在 Exchange Online 中使用 Exchange 系統管理中心 (EAC) 進行下列動作:Use the Exchange admin center (EAC) in Exchange Online to do the following actions:

  • 依預設,信箱審核記錄記錄會在刪除之前保留90天。By default, mailbox audit log records are retained for 90 days before they're deleted. 您可以使用 Exchange Online PowerShell 中 Set-Mailbox Cmdlet 上的 AuditLogAgeLimit 參數,來變更審核記錄記錄的保留天數。You can change the age limit for audit log records by using the AuditLogAgeLimit parameter on the Set-Mailbox cmdlet in Exchange Online PowerShell. 不過,增加此值不會讓您在審核記錄中搜尋超過90天的事件。However, increasing this value doesn't allow you to search for events that are older than 90 days in the audit log.

    如果您增加保留天數,您必須在 Exchange Online 中使用 Search-MailboxAuditLog 指令程式 PowerShell 來搜尋使用者的信箱審核記錄中超過90天的記錄。If you increase the age limit, you need to use the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell to search the user's mailbox audit log for records that are older than 90 days.

  • 如果您已在信箱審核之前將信箱的 AuditLogAgeLimit 屬性變更為已開啟組織的預設值,則信箱的現有審核記錄保留時間限制不會變更。If you've changed the AuditLogAgeLimit property for a mailbox prior to mailbox auditing on by default being turned on for organization, the mailbox's existing audit log age limit isn't changed. 換句話說,依預設,信箱審計不會影響信箱審計記錄的目前保留限制。In other words, mailbox auditing on by default doesn't affect the current age limit for mailbox audit records.

  • 若要變更 Microsoft 365 群組信箱上的 AuditLogAgeLimit 值,您必須 -GroupMailboxSet-Mailbox 命令中包含該參數。To change the AuditLogAgeLimit value on a Microsoft 365 Group mailbox, you need to include the -GroupMailbox switch in the Set-Mailbox command.

  • 信箱審計記錄檔會儲存在每個使用者信箱的 [可復原的專案] 資料夾中 (名為「 審計 」) 子資料夾中。Mailbox audit log records are stored in a subfolder (named Audits) in the Recoverable Items folder in each user's mailbox. 請記住下列有關信箱審計記錄和 [可復原的專案] 資料夾的事項:Keep the following things in mind about mailbox audit records and the Recoverable Items folder:

    • 信箱審計記錄會根據 [可復原的專案] 資料夾的儲存配額進行計數(預設值為 30 GB (警告配額為 20 GB) 。Mailbox audit records count against the storage quota of the Recoverable Items folder, which is 30 GB by default (the warning quota is 20 GB). 在下列情況) ,儲存配額會以 90 GB 的警告配額自動增加為 100 GB (:The storage quota is automatically increased to 100 GB (with a 90 GB warning quota) when:

      • 保留是放在信箱上。A hold is placed on a mailbox.

      • 信箱會指派給規範中心內的保留原則。The mailbox is assigned to a retention policy in the Compliance Center.

    • 信箱審計記錄也會計入 [可復原的專案] 資料夾的資料夾限制Mailbox audit records also count against the folder limit for the Recoverable Items folder. ) 可以儲存在「審計] 子資料夾中 (的審計記錄中,最多可以儲存3000000個專案。A maximum of 3 million items (audit records) can be stored in the Audits subfolder.

      注意

      根據預設,信箱審核可能會影響儲存配額或 [可復原的專案] 資料夾的資料夾限制。It's unlikely that mailbox auditing on by default will impact the storage quota or the folder limit for the Recoverable Items folder.

      • 您可以在 Exchange Online PowerShell 中執行下列命令,以在 [可復原的專案] 資料夾的 [審計] 子資料夾中顯示專案的大小和數目:You can run the following command in Exchange Online PowerShell to display the size and number of items in the Audits subfolder in the Recoverable Items folder:

        Get-MailboxFolderStatistics -Identity <MailboxIdentity> -FolderScope RecoverableItems | Where-Object {$_.Name -eq 'Audits'} | Format-List FolderPath,FolderSize,ItemsInFolder
        
      • 您無法直接存取 [可復原的專案] 資料夾中的審計記錄記錄;相反地,您可以使用 Search-MailboxAuditLog Cmdlet 或搜尋審核記錄檔,以尋找及查看信箱審計記錄。You can't directly access an audit log record in the Recoverable Items folder; instead, you use the Search-MailboxAuditLog cmdlet or search the audit log to find and view mailbox audit records.

  • 如果信箱處於保留狀態或指派給規範中心內的保留原則,則在信箱的 AuditLogAgeLimit 屬性定義的期間內,仍然會保留審計記錄檔 () 預設為90天。If a mailbox is placed on hold or assigned to a retention policy in the Compliance Center, audit log records are still retained for the duration that's defined by the mailbox's AuditLogAgeLimit property (90 days by default). 若要保留長期保留信箱的審計記錄檔,您需要增加信箱的 AuditLogAgeLimit 值。To retain audit log records longer for mailboxes on hold, you need to increase mailbox's AuditLogAgeLimit value.

  • 在地理位置環境中,不支援跨地理位置信箱稽核。In a multi-geo environment, cross-geo mailbox auditing is not supported. 例如,如果指派給使用者的權限可以存取不同地理位置的共用信箱,則該使用者執行的信箱動作不會記錄在共用信箱的信箱稽核記錄中。For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox.