How To Use Mailbox Audit Logging in Exchange 2013, 2016, 2019?
Keeping track of mailbox activity is an essential responsibility of any IT admin that manages Exchange Server for an organization. So to help you out we have this informative article where we will discuss about how to use mailbox audit logging in Exchange Server 2013, 2016, 2019 and the latest SE version as well.
Moreover, organizations must stay serious about the data security and thus establish total control over the information stored in every user mailbox.
Since Exchange Server 2010 Microsoft provides this feature known as Mailbox Audit Logging. This feature in Exchange Server allows users to track actions that are users perform on their mailbox and also provides the shared mailbox data.
It does so by keeping track of a user’s computer IP address and name. The Exchange Server allows owners, delegates and administrators to witness this activity in form of logs. With this brief introduction we are ready to go more in depth into the inner workings of the feature. So, without further ado let’s start.
Working Of Mailbox Audit Logging in Exchange Server
When the user enables the mailbox audit logging entries are generate inside recoverable items folder in the mailbox. This audit log entries are not visible to the mailbox user who are using Outlook or any other email client. Exchange Server 2013 has the following default configuration for the mailbox audit logging:
- Admin disables Mailbox Audit Logging.
- The Audit Login entries expire after 90 days.
- Entries don’t record any actions done by Owner.
- Only delegate and administrators actions are visible.
Check Out: Steps to Set up Exchange Email on Android Phone the Right Way
In Exchange Server 2013 the default mailbox audit logging will look like this:
[PS] C:\>Get-Mailbox alan.reid | fl *audit*
AuditEnabled : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
Note: The AuditAdmin settings are referred to as the access using methods such as eDiscovery searches, mailbox import/export operations, or tools such as MFCMAPI. If the administrator gets both the permission and the access to a mailbox then those actions will be be present according to the AuditDelegate settings.
How To Enable or Disable Mailbox Audit Logging in Exchange Server 2013?
There are some mailboxes in the organization that the user wants to enable the Mailbox Audit Logging. Moreover, it can be done using Set-Mailbox cmdlet command.
Run the following cmdlet:
[PS] C:\>Set-Mailbox alan.reid -AuditEnabled $true
And if the user wants to disable the Audit Logging then change the true value into false.
Also Read: How to View Exchange Server Logs
However, there are some users who want to enable Audit Logging for all the mailboxes. It can be done by enabling Get-Mailbox query into Set-Mailbox in order to enable Audit Logging for all mailboxes.
It’s executed like this:
[PS] C:\>Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled:$true
How To Search Mailbox Audit Log?
The following methods can be used to search for Mailbox Audit Log:
#1 Search for Single Mailbox Synchronously
In this the user can use search-MailboxAuditLog cmdlet to synchronously search for the single mailbox log entries.
#2 Search for One or More Mailboxes Asynchronously
In this the user can use create Mailbox Audit Log to search for one or more mailboxes asynchronously. The results are then send to the specified mail address. Now, for creating the search use New-MailboxAuditLogSearch cmdlet.
#3 Use Of Auditing Report in Exchange Admin Center (EAC)
In EAC use auditing tabs to find non-owner mailbox report or export the non-owner entries from the Mailbox Audit Logging in Exchange Server 2013.
Types Of Actions Logged in Mailbox Audit
| Action | Description of Mailbox Audit Logging | Available To |
| Copy | Copy items between folders | Admin, Delegate |
| Create | Create/send items | Admin, Delegate, Owner |
| FolderBind | Access a folder | Admin, Delegate |
| HardDelete | Permanent delete | Admin, Delegate, Owner |
| MessageBind | Open/read item | Admin |
| Move | Move item to another folder | Admin, Delegate, Owner |
| MoveToDeletedItems | Send item to Deleted folder | Admin, Delegate, Owner |
| SendAs | Send as another user | Admin, Delegate |
| SendOnBehalf | Send on behalf of another user | Admin, Delegate |
| SoftDelete | Delete from Deleted Items | Admin, Delegate, Owner |
| Update | Modify item properties | Admin, Delegate, Owner |
Best Practices & Troubleshooting
- Enable logging only for required mailboxes (e.g., executives, shared mailboxes).
- Monitor log size – extensive audit logging can consume storage quickly.
- Use filters when searching (date range, user, action) for performance.
- If mailbox corruption occurs due to logging misconfigurations, use professional tools like SysTools Exchange Recovery to restore mailboxes safely.
Conclusion
As we have discussed Mailbox Audit logging in Exchange Server 2013 and we have come to know that the MailBox Audit Logging method allows the administrator an ability to track the actions performed in a mailbox. It is a very helpful feature when the multiple users are accessing the shared mailbox. This method determines what actions happen on the mailbox and at what time.
Also Read: What to Do When Exchange Calendar Not Syncing on iPhone?
Sometimes in running command for Mailbox audit may lead your Exchange mailbox in unhealthy state. In this kind of situation you can use Exchange Mailbox Recovery tool for quick fix of corrupt mailbox items.
Frequently Asked Questions
Q1. Is mailbox audit logging enabled by default in any Exchange Server?
No, it is disabled by default. You must enable it manually regardless of the Exchange Server version you operate.
Q2. How long are mailbox audit logs retained?
By default, every Exchange server stores the data for 90 days only. However, you are free to modify this retention period with the Set-Mailbox cmdlet.
Q3. Can users who are the actual mailbox owners see their audit logs?
No, this is mainly because of the accessibility permission. Audit logs are kept in the Recoverable Items folder, which is hidden from end-users by default. Nevertheless, admins can elevate a user’s accessibility level and allow them to witness the data as well.
Q4. Does enabling mailbox audit logging impact server performance?
There is minimal to no impact on performance unless you were operating on very old hardware. In such a case, performance remains below par irrespective of the mailboxes’ audit enable/disable status. One thing that admins must keep in mind is that frequent actions on all mailboxes may increase storage usage.