Check mailbox auditing status in Exchange Online with PowerShell

There are several health check and compliance items that can be used in Office 365 to ensure your organization meets with the compliance controls and standards. Microsoft provides PowerShell modules to connect and interact with Office 365 services such as Exchange Online, Office 365, SharePoint Online, and so on. One of the items that Office 365 Exchange Online administrators need to do is to ensure all of the mailboxes created in Office 365 have auditing enabled. If mailbox auditing is disabled for a mailbox, the auditing data will not be available. In this article, we will provide a PowerShell script that can be used to check how many mailboxes do not have auditing enabled in Office 365 Exchange Online.

PowerShell script requirements

Before executing the PowerShell script explained in a later section of this article, please install Exchange Online modules by using the “Install-Module ExchangeOnline” and make sure you have global administrator access before the script can connect and retrieve the required data. Please also create C:\Temp\Data folder on the computer where you run the script. The Data folder will contain the CSV that contains the mailbox data.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following operations:

  • Imports the PowerShell modules required to connect to Office 365 Exchange Online.
  • Provides login prompt to connect to Exchange Online.
  • Collects mailbox items from Office 365.
  • Checks total mailboxes and how many mailboxes have not been enabled with auditing.
  • Provides a data file that contains the list of mailboxes that do not have auditing enabled.
  • Provides the percentage of mailboxes that do not have auditing enabled.
  • Provides severity based on the percentage score.

PowerShell script for checking mailbox auditing status

Executing the PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\TestResult.CSV and the data file can be found under C:\Temp\Data folder. You need to provide the Office 365 connect credentials.

Remove-Item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString="Total Mailbox, Total Mailbox Auditing Enabled, Total Mailbox Without Mailbox Auditing, Percentage, Data File"
Add-Content "$TestCSVFile" $ThisString
Remove-Item $DataFileLocation -ErrorAction SilentlyContinue
$AllItems = Get-Mailbox
$AllItemsCount = $AllItems.Count
$TotNot = 0
$TotYes = 0
$TotPercentage = 0
$TotNotItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $false}
$TotNotCount = $TotNotItems.Name.Count
$TotYesItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $true}
$TotYesCount = $TotYesItems.Name.Count
$ValSTR = $AllItemsCount.ToString()+","+$TotYesCount.ToString()+","+$TotNotCount.ToString()+","+$TotPercentage.ToString()+","+$DataFileLocation
Add-Content "$TestCSVFile" $ValSTR
$TotNotItems | Export-CSV $DataFileLocation -NoTypeInformation
IF ($TotNotCount -ne 0)
IF ($TotPercentage -gt 15)
$SumVal = ""
$TestText="HIGH ISSUE"
$SumVal = ""
$SumVal = ""
$TestText = "PASSED ITEMS"

Once this PowerShell script has finished executing, you will see two CSV files; C:\Temp\TestResult.CSV and C:\Temp\Data\EXCH_Data.CSV. The C:\Temp\TestResult.CSV contains the overall status of the mailbox items that it retrieved and C:\Temp\Data\EXCH_Data.CSV file contains the actual mailbox details that do not have the mailbox auditing enabled. As you can see in the screenshot below, which is taken from O365 IT Health & Risk Scanner, after executing the PowerShell script it lists the total mailboxes in Office 365 Exchange Online, total mailboxes that have auditing enabled, and total mailboxes that do not have auditing enabled.

If you open the C:\Temp\Data\EXCH_Data.CSV file you can actually see the mailboxes that do not have audited enabled as shown in the screenshot below:

As you can see in the above screenshot, User1, User2, and User3 do not have mailbox auditing enabled and it needs to be addressed ASAP. You must have noticed that since the auditing is not applicable for mailboxes other than usermailbox, it did not count those mailboxes in the C:\Temp\TestResult.CSV file.

The above script was retrieved from O365 IT Health & Risk Scanner, which can perform about 97 checks in Office 365 to ensure your Office 365 services are healthy and your organization is meeting the compliance standards.

Featured image: Pixabay

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma

Recent Posts

Using Group Policy settings to enforce PowerShell execution policies

Setting PowerShell execution policies at the Group Policy level can greatly enhance your organization’s security.…

6 hours ago

Exchange 2013/2016/2019: Configure your receive connectors correctly

Ah, the good old days — when Exchange 2010 was king. But with each new…

1 day ago

CCPA and GDPR: Similarities and differences you must know

The GDPR and the CCPA are both aimed at protecting privacy. Although many similarities exist…

1 day ago

How to manage and automate Azure DevOps using Azure CLI

Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…

4 days ago

Trench Tales: When you really need to retire that messaging platform

That old messaging platform has served you well, but maybe it’s time to move on.…

4 days ago