In this blog we see how to enable
auditing in office 365. In order to track the users actions
like; reading, moving, and deleting the messages.
By using audit logs we can see who read, deleted,
moved or copied a message in Office 365.
We need to enable auditing in office 365, by default auditing is not enabled in office 365. As per requirement, you can either enable auditing in specific of all mailboxes by using PowerShell. So first you have to connect to office 365 using PowerShell, then you can enable or disable auditing.
To Enable Auditing for Single
User in Office 365:
Set-Mailbox abc@cloudmonkeys.xyz -AuditEnabled $true
To Disable Auditing for Single
User in Office 365:
Set-Mailbox abc@cloudmonkeys.xyz -AuditEnabled $false
Enable Auditing for all users in
Office 365– Run below cmdlet to enable
auditing for all office 365 users:
Get-mailbox -Filter
{(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity
-AuditEnabled $true}
In order to check which user have
auditing enabled or disabled:
get-mailbox | select
UserPrincipalName,auditenabled,AuditDelegate,AuditAdmin
You will get output in table
form. If you would like to see only those have auditing enabled run below
cmdlet:
get-mailbox -filter
{AuditEnabled -eq $true} | select UserPrincipalName,auditenabled,AuditDelegate
If you would like to see only
those who do not have auditing enabled run below cmdlet:
get-mailbox -filter
{AuditEnabled -eq $false} | select UserPrincipalName,auditenabled,AuditDelegate
You can audit all mailbox action
for all users:
Get-mailbox -Filter
{(RecipientTypeDetails -eq 'UserMailbox')} | ForEach {Set-Mailbox $_.Identity
-AuditEnabled $true -AuditAdmin
Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
-AuditDelegate
Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
-AuditOwner
Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update }
Comments
Post a Comment