When a mailbox on Exchange server is accessed by a non-owner, the server records this activity in a mailbox audit log (if “mailbox audit logging” feature is enabled). This log is saved as an email in a hidden folder in the mailbox itself. In this log, you can find information related to the actions performed by the non-owner, and also whether the actions were successful. By default, these details are held in the log for 90 days. Although, this duration can be changed with Exchange Management Shell (EMS) manually.
How to Audit Non-Owner Access in Exchange?
First, you need to check if the mailbox audit logging feature is enabled or disabled for the mailbox you want to audit. To do so, run the following command in EMS:
Get-Mailbox [user name] | FL
This will show audit-related details of the mailbox, including the AuditEnabled parameter. If this parameter’s value is False, it means mailbox audit logging feature is disabled for the mailbox. To enable the feature, run the following command in EMS:
Set-Mailbox [user name] –AuditEnabled $True
Now, follow the given steps to run a non-owner mailbox access report:
- Open Exchange Admin Center. Then go to Compliance Management > Auditing > Run a non-owner mailbox access report.
- In the window that opens, select the Start date and End date of the audit period.
- Select the mailboxes you want to audit and click search. This will fetch and display the log entries for non-owner mailbox access.
Note: If you want to audit all mailboxes, leave the input box blank.
- Export non-owner mailbox access report. For this, you need to change the email attachment settings. This is because, the mailbox access report is usually generated in XML format, and by default, it is blocked.
To view blocked file types for attachments, run the following command:
Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes | export-csv C:\BlockedExtensions.txt
You can open BlockedExtensions.txt file and see if .xml is in the list.
If .xml is the in the list, it means the file format is blocked. You can unblock it by following these steps:
- Add .xml file in allowed files types list by running the following command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}
- Remove .xml from blocked file types list by running the following command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}
The non-owner mailbox access report will be delivered as an .xml attachment via email. You can access the report either in Outlook or OWA.
Challenges in Auditing Non-Owner Access with EMS
Generating non-owner mailbox logon report manually via EMS has some limitations, such as:
- Running complex commands to generate the required non-owner mailbox logon report every time is time-consuming and tedious.
- You need to have an in-depth understanding of the cmdlets and parameters required to generate the reports.
- Since the reports are text-based, finding the required details in them would be time-consuming.
- You need to have appropriate permissions to generate reports.
To overcome these limitations, you can use an advanced Exchange auditor software such as Stellar Reporter & Auditor for Exchange Server.
Audit Non-Owner Mailbox Access by using the Software
With Stellar Reporter & Auditor for Exchange Server, generating non-owner mailbox logon report is easier, safer, and faster. The software has a user-friendly GUI that allows you to generate detailed reports with just a few clicks. You can also schedule reports, set alerts, and do even more while saving time.
To view non-owner mailbox access report by using the software, follow these steps:
- Download and install the software on your system.
- Sign in with the default username and password and then provide a new password.
- Add the server and perform a scan. This will help the software to collect server data for creating reports.
Note: The software supports multiple servers. If you wish to change the server, click Select Server on top-right, and select the server from the drop-down list.
- Go to Navigation Pane and click Auditor.
- Under Mailbox Logon Reports, select Non-owner Mailbox logon.
Benefits of Stellar Reporter & Auditor for Exchange Server
- Generate non-owner mailbox logon report for multiple users in just a few clicks.
- No technical expertise required as the software features easy to navigate interface.
- Generate 142 different reports, such as server based logon report, user logon activity report, etc.
- Audit Exchange mailboxes on any device including mobiles.
- Export reports in multiple formats - HTML, CSV, PDF, and XLSX.
- Reports have intuitive graphs and charts to provide quick insights.
- Schedule reports and scanning as per your requirements, and receive notifications.
Conclusion
Exchange’s “mailbox audit logging” functionality allows you to audit actions of non-owners on user mailboxes and shared mailboxes. You can generate non-owner mailbox access report by using Exchange utilities as mentioned in this post. However, there are some limitations of using the Exchange utilities such roles and permissions required, technical proficiency about EAC and EMS, etc. For hassle-free and easy auditing, use a third-party software such as Stellar Reporter & Auditor for Exchange Server. The software comes with a user-friendly interface that allows you to view a wide range of reports in just a few clicks. It is available for a 60-day free trial.
4 min read
