Applies to: Exchange Server 2013, Exchange Online
Topic Last Modified: 2012-10-13
The Non-Owner Mailbox Access Report in the Exchange Administration Center (EAC) lists the mailboxes that have been accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner, Microsoft Exchange logs information about this action in a mailbox audit log that’s stored as an email message in a hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. By default, entries in the mailbox audit log are retained for 90 days.
When you enable mailbox audit logging for a mailbox, Microsoft Exchange logs specific actions by non-owners, including both administrators and users, called delegated users, who have been assigned permissions to a mailbox. You can also narrow the search to users inside or outside your organization.
What do you need to know before you begin?
- Estimated time to complete: 5 minutes.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Mailbox audit logging" entry in the Messaging Policy and
Compliance Permissions topic.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
 Tip: |
|---|
| Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection. |
What do you want to do?
Enable mailbox audit logging
You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled, you won't get any results when you run a report.
To enable mailbox audit logging for a single mailbox, run the following Shell command.
 Copy Code |
|
|---|---|
Set-Mailbox <Identity> -AuditEnabled $true |
|
For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.
| Copy Code |
|
|---|---|
Set-Mailbox "Florence Flipo" -AuditEnabled $true |
|
To enable mailbox auditing for all user mailboxes in your organization, run the following commands.
| Copy Code |
|
|---|---|
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
|
|
| Copy Code |
|
|---|---|
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
|
|
How do you know this worked?
Run the following command to verify that you’ve successfully configured mailbox audit logging.
| Copy Code |
|
|---|---|
Get-Mailbox | FL Name,AuditEnabled |
|
A value of True for the
AuditEnabled property verifies that audit logging is
enabled.
Run a non-owner mailbox access report
- In the EAC, navigate to Compliance
Management > Auditing.
- Click Run a non-owner mailbox access report.
By default, Microsoft Exchange runs the report for non-owner access to any mailboxes in the organization over the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit logging.
- To view non-owner access for a specific mailbox, select the
mailbox from the list of mailboxes. View the search results in the
details pane.
| Tip: |
|---|
| Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click Search to re-run the report. |
Search for specific types of non-owner access
You can also specify the type of non-owner access, also called the logon type, to search for. Here are your options:
- All non-owners Search for access by
administrators and delegated users inside your organization. Also
includes access by Microsoft datacenter administrators for Exchange
Online organizations.
- External users Search for access by
Microsoft datacenter administrators for Exchange Online
organizations.
- Administrators and delegated
users Search for access by administrators and
delegated users inside your organization.
- Administrators Search for access by
administrators in your organization.
What gets logged in the mailbox audit log?
When you run a non-owner mailbox access report, entries from the mailbox audit log are displayed in the search results in the EAC. Each report entry contains this information:
- Who accessed the mailbox and when
- The actions performed by the non-owner
- The affected message and its folder location
- Whether the action was successful
The following table describes the types of actions logged, and whether these actions are logged by default for access by administrators and for access by delegated users. If you want to track actions that aren't logged by default, you have to use the Shell to enable logging of those actions.
| Action | Description | Administrators | Delegated users |
|---|---|---|---|
|
Update |
A message was changed. |
Yes |
Yes |
|
Copy |
A message was copied to another folder. |
No |
No |
|
Move |
A message was moved to another folder. |
Yes |
No |
|
Move To Deleted Items |
A message was moved to the Deleted Items folder. |
Yes |
No |
|
Soft-delete |
A message was deleted from the Deleted Items folder. |
Yes |
Yes |
|
Hard-delete |
A message was purged from the Recoverable Items folder. |
Yes |
Yes |
|
FolderBind |
A mailbox folder was accessed. |
Yes |
No |
|
Send as |
A message was sent using SendAs permission. This means another user sent the message as though it came from the mailbox owner. |
Yes |
Yes |
|
Send on behalf of |
A message was sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message. |
Yes |
No |
|
MessageBind |
A message was viewed in the preview pane or opened. |
No |
No |
How do you know this worked?
To verify that you’ve successfully run a non-owner mailbox access report, check the search results pane. Mailboxes that you ran the report for are displayed in this pane. If there are no results for a specific mailbox, it’s possible there hasn’t been access by a non-owner or that non-owner access hasn’t taken place within the specified date range. As previously described, be sure to verify that audit logging has been enabled for the mailboxes you want to search for access by non-owners.