How to Set Up Audit Logging and Mailbox Auditing in Exchange 365

Introduction: Why Audit Logging Matters in Exchange 365

If you can't see who accessed what, when, and from where, incident response becomes guesswork. Audit logging eliminates that blind spot — giving your organization the visibility it needs to detect unauthorized access, investigate security breaches, and satisfy regulatory compliance requirements across Microsoft 365.

Microsoft 365 delivers audit visibility through two complementary layers: unified audit logging, which captures organization-wide activity across services, and mailbox auditing, which zeroes in on mailbox-level actions like message access, deletions, and permission changes. Mailbox audit logging is turned on by default in all Microsoft 365 organizations [1], but SMB tenants running Business Basic, Standard, or Premium licenses must manually enable unified audit logging [2].

This article walks you through verifying and enabling audit logging, understanding default mailbox audit actions, customizing those actions, configuring retention policies, and searching and exporting audit logs.

Prerequisites: Licensing, Roles, and Tools

Before diving into configuration, confirm that your organization meets the licensing, role, and tooling requirements below.

Licensing Tiers

Microsoft offers two auditing tiers:

• Audit (Standard): Included with E3 and E1 licenses. Retains audit logs for 180 days — a change from the previous 90-day default that took effect on October 17, 2023 [3].
• Audit (Premium): Requires an E5 license or the Microsoft Purview Suite / E5 eDiscovery and Audit add-on license. Retains Exchange, SharePoint, OneDrive, and Microsoft Entra ID records for one year by default [5], with custom policies extending retention up to 10 years when paired with the 10-year Audit Log Retention add-on license [5].

One point worth emphasizing: SMB licenses (Business Basic, Business Standard, Business Premium) and unmanaged free-trial tenants do not have auditing enabled by default. You must enable it manually [2].

Required Roles

• Audit Logs role (Exchange Online): Required to enable or disable auditing. Assigned by default to the Compliance Management and Organization Management role groups [2].
• View-Only Audit Logs or Audit Logs role: Required to search audit logs. Assigned by default to the Audit Reader and Audit Manager role groups [6].
• Organization Configuration role (Microsoft Purview): Required to create or modify audit log retention policies [4].

Tools

Install the ExchangeOnlineManagement PowerShell module and connect to your tenant:

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName [email protected]

The module supports modern authentication and MFA [7].

Step 1: Verify and Enable Unified Audit Logging

Check Current Status

Start by confirming whether unified audit logging is already active. Run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

A value of True means auditing is enabled [2].

Next, verify that mailbox auditing is enabled at the organization level:

Get-OrganizationConfig | Format-List AuditDisabled

A value of False confirms mailbox auditing is on [1].

Enable via PowerShell

If unified audit logging is not yet enabled, turn it on with:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Allow up to 60 minutes for this change to take effect [2].

Enable via the Microsoft Purview Portal

Navigate to the Audit solution card in the Microsoft Purview compliance portal and click the "Start recording user and admin activity" banner [2].

Important Warning

When auditing is turned off, neither the Office 365 Management Activity API nor Microsoft Sentinel can access auditing data for your organization [2]. Make sure auditing is active before configuring any downstream SIEM integrations — otherwise, those integrations will have nothing to pull from.

Step 2: Understand Default Mailbox Audit Actions and Sign-In Types

Mailbox auditing in Exchange Online classifies every action by one of three sign-in types [1]:

Supported Mailbox Types

Mailbox auditing covers User mailboxes, Shared mailboxes, and Microsoft 365 Group mailboxes. Public folder mailboxes and Resource mailboxes are not supported [1].

Default Audited Actions

Microsoft audits a predefined set of actions for each sign-in type. Here are the key defaults:

• Owner: ApplyRecord, AttachmentAccess, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules [1].
• Admin: All Owner actions plus Create, SendAs, and SendOnBehalf [1].
• Delegate: ApplyRecord, AttachmentAccess, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules [1].

Microsoft 365 Group mailbox actions are limited to a fixed set — Create, HardDelete, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, and Update — and cannot be customized [1].

One benefit of sticking with defaults: when Microsoft releases a new mailbox action, it may be automatically added to the default audited list [1]. Your audit coverage improves over time without manual intervention — as long as you haven't overridden the defaults.

Step 3: Customize Mailbox Audit Actions

Adding or Removing Audited Actions

Use the Set-Mailbox cmdlet with the -AuditAdmin, -AuditDelegate, or -AuditOwner parameters to control which actions are logged per sign-in type [1]:

Set-Mailbox -Identity [email protected] -AuditOwner @{Add='MailboxLogin','CreateItem'}
Set-Mailbox -Identity [email protected] -AuditDelegate @{Remove='SoftDelete'}

The Customization Trade-Off

Here's the catch: customizing removes Microsoft's automatic management for the modified sign-in type. New actions released by Microsoft will no longer be auto-added to your customized list [1]. Weigh this trade-off carefully before overriding defaults.

To restore Microsoft-managed defaults after customization:

Set-Mailbox -Identity [email protected] -DefaultAuditSet Admin,Delegate,Owner

This re-enables automatic updates for all three sign-in types [1].

Enable SearchQueryInitiated

The SearchQueryInitiated event — which tracks what users search for in Exchange and SharePoint — is not enabled by default. You need to enable it explicitly per user [6]:

Set-Mailbox [email protected] -AuditOwner @{Add='SearchQueryInitiated'}

This is particularly valuable for monitoring executive and legal team mailboxes, where search activity can surface early indicators of insider threats or data exfiltration.

Audit Bypass for Service Accounts

To exclude specific service accounts from logging, use:

Set-MailboxAuditBypassAssociation -Identity [email protected] -AuditByPassEnabled $true

When enabled, all mailbox actions by that user are suppressed from audit logs, regardless of where the actions occur [1]. Use this sparingly and document every bypass for compliance purposes — an undocumented bypass is a blind spot waiting to be exploited.

Step 4: Configure Audit Log Retention Policies

Default Retention

• Audit (Standard): 180 days [3].
• Audit (Premium): One year for Exchange, SharePoint, OneDrive, and Microsoft Entra ID records [4].

Custom Retention Policies

Organizations with Audit (Premium) can create custom retention policies in Microsoft Purview to retain specific record types for longer periods — up to 10 years with the 10-year Audit Log Retention add-on license [5].

Key details to keep in mind:

• Organizations can create up to 50 audit log retention policies [4].
• Custom policies override the default policy using a numerical priority system, where 1 is the highest priority and 10000 is the lowest [4].
• 10-year retention is not retroactive — it only applies to logs generated after the policy is created [5].
• Creating or modifying retention policies requires the Organization Configuration role in Microsoft Purview [4].

Example: Create a Custom Retention Policy

In the Microsoft Purview portal, navigate to Audit > Audit retention policies and create a new policy specifying the record type, duration, and priority. Assign a lower priority number to ensure your custom policy takes precedence over the default.

Step 5: Search and Export Audit Logs

Search via the Purview Portal

Navigate to the Audit solution in the Microsoft Purview portal. Filter results by date range, specific activities, users, and record types [3]. This is the most straightforward approach for ad hoc investigations and one-off queries.

Search via PowerShell

For scripting and automation, turn to the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell [3]:

Search-UnifiedAuditLog -StartDate "2026-03-01" -EndDate "2026-03-12" `
    -RecordType ExchangeItem -Operations HardDelete -UserIds [email protected]

PowerShell gives you more granular control than the portal and integrates cleanly into automated security workflows.

Timing and Limits

• Audit records for core services (Exchange, SharePoint, OneDrive, Teams) typically become available 60 to 90 minutes after an event occurs [3].
• Each admin can run up to 10 concurrent search jobs, with a limit of one unfiltered search job. Completed jobs are retained for 30 days [3].
• Export limits: Up to 50 KB for Audit (Standard) and up to 500 KB / 500,000 rows for Audit (Premium) [3].

Audit (Premium) Intelligent Insights

Audit (Premium) unlocks deeper visibility into when mail items were accessed, replied to, forwarded, and what users searched for in Exchange Online and SharePoint Online [5]. The MailItemsAccessed action is especially critical for forensic investigations, as it logs when mail data is accessed by mail protocols and clients [1].

Common Pitfalls and Best Practices

SMB tenants must manually enable auditing. Never assume auditing is active on Business Basic, Standard, or Premium licenses [2]. Verify immediately after tenant provisioning.

Cross-geo mailbox auditing is not supported. In multi-geo environments, if a user accesses a shared mailbox in a different geo location, those actions are not logged in the shared mailbox's audit log [1]. Factor this gap into your compliance planning early.

Never disable mailbox auditing org-wide unless absolutely necessary. Running Set-OrganizationConfig -AuditDisabled $true overrides individual mailbox settings and stops all mailbox action logging across the entire tenant [1].

Regularly verify auditing status. Build audit log verification into your security review cadence, especially after tenant migrations, license changes, or administrative turnover.

Use audit bypass sparingly. Reserve it for service accounts only, and document every bypass for compliance and audit readiness [1].

Enable SearchQueryInitiated for key users. Track search activity for executives, legal teams, and other high-value mailboxes to strengthen your forensic investigation capability [6].

Activate Audit (Premium) features for E5 users. Ensure the Microsoft 365 Advanced Auditing app is enabled in user license settings — Premium logging begins within 24 hours of enablement [6]. Organizations with Audit (Premium) also receive approximately twice the API bandwidth of Audit (Standard) organizations [5].

Conclusion: Maintaining a Robust Audit Trail

Setting up audit logging in Exchange 365 follows a clear path: verify that unified audit logging and mailbox auditing are enabled, understand the default actions audited for each sign-in type, customize actions where your organization demands it, configure retention policies to meet compliance obligations, and build fluency with searching and exporting logs.

But configuration is only the starting point. Revisit your settings as licensing changes, new compliance requirements emerge, or your organization's structure evolves. A well-configured audit trail is the foundation of incident response and regulatory compliance in Microsoft 365 — invest the time to get it right, and commit to maintaining it continuously.