What Exchange PowerShell commands do you need to run to verify you can see the audit logs in the future?

Written by John Gruber Published on Last Updated on

Your organization has a Microsoft 365 tenant with a user named John Gruber. Multiple users have been granted read and manage (full access) to John Gruber's mailbox.

John Gruber found a few emails that were sent to him were marked as read and deleted before he had a chance to review them.

You've been asked to see who accessed and deleted the emails. You search the audit log in the Microsoft Defender admin center to see who read and deleted the emails but the audit logs are blank. So your manager has asked you to configure the audit logs so your can view who accessed the mailbox in the future.

What Exchange PowerShell commands do you need to run to verify you can see the audit logs in the future?

Enable-AuditLogs -Identity "John Gruber"

Set-Maibox -Identity "John Gruber" -AuditEnabled $true

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox*

Set-AuditLogs -Identity "John Gruber" -Enabled $true

Click to show answer

To enable Exchange auditing of a mailbox we'll need to use PowerShell.

1. Open PowerShell and connect to Exchange Online using Connect-ExchangeOnline.

2. Run the following command "Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox*"

3. Then run the following command "Set-OrganizationConfig -AuditDisabled $false"

You can also replace step 3 with the following: Set-Mailbox -Identity "User1 " -AuditDelegate @{Add="MailboxLogin"}

https://www.gitbit.org/course/ms-500/learn/Auditing-sign-ins-and-other-actions-in-Microsoft-365-sH_Ee1DW1

< Previous Next > Skip Exam >>