First select the mailboxes you want to enable auditing.
Note: To run non-owner Mailbox access report . Auditing has to be enabled in advance to capture the behaviour of the user mailboxes.
Get-Mailbox *careexchange.in | Set-Mailbox -AuditEnabled:$true
Logging into EAC (Exchange Admin Center) – Compliance Management – Auditing
Click on Run a owner mailbox access report.
Choose the mailboxes you want to audit –
Click on Search. Now you can see if any unauthorised access has been made. it will be showing up .
In my case – Archiving server is using a impersonated account to pull all the email items from the mailboxes.
Now to export the same report you need to do few changes in attachment settings as report is generated in the form of XML which is blocked by default.
To see the Allowed Files list –
Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes | export-csv C:\Extensions.txt
To see the Blocked Files list –
Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes | export-csv C:\BlockedExtensions.txt
If export-csv doesn’t work After Allowedfiletypes use >C:\Extensions.txt
Opening the Blockedextensions.txt i could see the .xml
Checking Which is the OWA maibox policy assigned on the mailboxes where it needs to receive the report.
Get-CASMailbox Testuser* | Fl *owa*
Now i got the owamailboxpolicy name.
Adding the .xml in the allowed file types –
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @Removing the .xml from the allowed file types –
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @Now you can receive the Auditing report as below –
These logs are stored in the dumpster of the mailbox itself. so it will be archived after 90 days as a default retention limit.
Mailbox Audit Log Search ‘Search20150817’ Requested by Satheshwaran Manoharan Completed Successfully Search Criteria: StartDate Utc: 7/31/2015 8:00:00 PM EndDate Utc: 8/17/2015 8:00:00 PM Mailboxes: LogonTypes: Admin, Delegate ShowDetails: True ExternalAccess: Search request was submitted around 8/17/2015 1:54:44 PM Utc. Don’t reply to this email message. It was sent from an unmonitored account.
