Check mailbox auditing status in Exchange Online with PowerShell

There are several health check and compliance items that can be used in Office 365 to ensure your organization meets with the compliance controls and standards. Microsoft provides PowerShell modules to connect and interact with Office 365 services such as Exchange Online, Office 365, SharePoint Online, and so on. One of the items that Office 365 Exchange Online administrators need to do is to ensure all of the mailboxes created in Office 365 have auditing enabled. If mailbox auditing is disabled for a mailbox, the auditing data will not be available. In this article, we will provide a PowerShell script that can be used to check how many mailboxes do not have auditing enabled in Office 365 Exchange Online.

PowerShell script requirements

Before executing the PowerShell script explained in a later section of this article, please install Exchange Online modules by using the “Install-Module ExchangeOnline” and make sure you have global administrator access before the script can connect and retrieve the required data. Please also create C:\Temp\Data folder on the computer where you run the script. The Data folder will contain the CSV that contains the mailbox data.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following operations:

  • Imports the PowerShell modules required to connect to Office 365 Exchange Online.
  • Provides login prompt to connect to Exchange Online.
  • Collects mailbox items from Office 365.
  • Checks total mailboxes and how many mailboxes have not been enabled with auditing.
  • Provides a data file that contains the list of mailboxes that do not have auditing enabled.
  • Provides the percentage of mailboxes that do not have auditing enabled.
  • Provides severity based on the percentage score.

PowerShell script for checking mailbox auditing status

Executing the PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\TestResult.CSV and the data file can be found under C:\Temp\Data folder. You need to provide the Office 365 connect credentials.

$CurrentLoc="C:\Temp\"
$UniqueTest="EXCH"
$TestCSVFile="C:\Temp\TestResult.CSV"
Remove-Item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString="Total Mailbox, Total Mailbox Auditing Enabled, Total Mailbox Without Mailbox Auditing, Percentage, Data File"
Add-Content "$TestCSVFile" $ThisString
$DataFileLocation=$CurrentLoc+"\Data\"+$UniqueTest+"_DATA.CSV"
Remove-Item $DataFileLocation -ErrorAction SilentlyContinue
$AllItems = Get-Mailbox
$AllItemsCount = $AllItems.Count
$TotNot = 0
$TotYes = 0
$TotPercentage = 0
$TotNotItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $false}
$TotNotCount = $TotNotItems.Name.Count
$TotYesItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $true}
$TotYesCount = $TotYesItems.Name.Count
$TotNotCount
$TotYesCount
$TotPercentage=($TotNotCount/$AllItemsCount)*100
$ValSTR = $AllItemsCount.ToString()+","+$TotYesCount.ToString()+","+$TotNotCount.ToString()+","+$TotPercentage.ToString()+","+$DataFileLocation
Add-Content "$TestCSVFile" $ValSTR
$TotNotItems | Export-CSV $DataFileLocation -NoTypeInformation
IF ($TotNotCount -ne 0)
{
IF ($TotPercentage -gt 15)
{
$SumVal = ""
$TestStatus="High"
$TestText="HIGH ISSUE"
}
else
{
$SumVal = ""
$TestStatus="Medium"
$TestText="MEDIUM ISSUE"
}
}
else
{
$SumVal = ""
$TestStatus="Passed"
$TestText = "PASSED ITEMS"
}
$AllItemsCount
$TotYesCount
$TotNotCount
$TotPercentage
$TestStatus

Once this PowerShell script has finished executing, you will see two CSV files; C:\Temp\TestResult.CSV and C:\Temp\Data\EXCH_Data.CSV. The C:\Temp\TestResult.CSV contains the overall status of the mailbox items that it retrieved and C:\Temp\Data\EXCH_Data.CSV file contains the actual mailbox details that do not have the mailbox auditing enabled. As you can see in the screenshot below, which is taken from O365 IT Health & Risk Scanner, after executing the PowerShell script it lists the total mailboxes in Office 365 Exchange Online, total mailboxes that have auditing enabled, and total mailboxes that do not have auditing enabled.

If you open the C:\Temp\Data\EXCH_Data.CSV file you can actually see the mailboxes that do not have audited enabled as shown in the screenshot below:

As you can see in the above screenshot, User1, User2, and User3 do not have mailbox auditing enabled and it needs to be addressed ASAP. You must have noticed that since the auditing is not applicable for mailboxes other than usermailbox, it did not count those mailboxes in the C:\Temp\TestResult.CSV file.

The above script was retrieved from O365 IT Health & Risk Scanner, which can perform about 97 checks in Office 365 to ensure your Office 365 services are healthy and your organization is meeting the compliance standards.

Featured image: Pixabay

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Share
Published by
Nirmal Sharma

Recent Posts

Losing your edge? 7 free tools to keep you focused at work

Staying focused at work in an always-connected world is hard! Here’s how to use tech — and some free tools…

12 hours ago

What’s next in the evolution of biometrics and facial recognition technology?

Facial recognition technology has matured to the point of being reliable — for better or for worse. What does the…

16 hours ago

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

19 hours ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

1 day ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

2 days ago

HIPAA IT compliance: Privacy and security rules you must know

HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…

2 days ago