GitBit
BlogFirst lesson
Sign Up

Question 9 of 9

Previous Question

Your organization has a Microsoft 365 tenant with a user named John Gruber. Multiple users have been granted read and manage (full access) to John Gruber's mailbox.

John Gruber found a few emails that were sent to him were marked as read and deleted before he had a chance to review them.

You've been asked to see who accessed and deleted the emails. You search the audit log in the Microsoft Defender admin center to see who read and deleted the emails but the audit logs are blank. So your manager has asked you to configure the audit logs so your can view who accessed the mailbox in the future.

What Exchange PowerShell commands do you need to run to verify you can see the audit logs in the future?

To enable Exchange auditing of a mailbox we'll need to use PowerShell.

1. Open PowerShell and connect to Exchange Online using Connect-ExchangeOnline.

2. Run the following command "Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox*"

3. Then run the following command "Set-OrganizationConfig -AuditDisabled $false"

You can also replace step 3 with the following: Set-Mailbox -Identity "User1 " -AuditDelegate @{Add="MailboxLogin"}

https://www.gitbit.org/course/ms-500/learn/Auditing-sign-ins-and-other-actions-in-Microsoft-365-sH_Ee1DW1

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/set-adminauditlogconfig?view=exchange-ps

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide

Did you like the site?