Check mailbox auditing status in Exchange Online with PowerShell

There are several health check and compliance items that can be used in Office 365 to ensure your organization meets with the compliance controls and standards. Microsoft provides PowerShell modules to connect and interact with Office 365 services such as Exchange Online, Office 365, SharePoint Online, and so on. One of the items that Office 365 Exchange Online administrators need to do is to ensure all of the mailboxes created in Office 365 have auditing enabled. If mailbox auditing is disabled for a mailbox, the auditing data will not be available. In this article, we will provide a PowerShell script that can be used to check how many mailboxes do not have auditing enabled in Office 365 Exchange Online.

PowerShell script requirements

Before executing the PowerShell script explained in a later section of this article, please install Exchange Online modules by using the “Install-Module ExchangeOnline” and make sure you have global administrator access before the script can connect and retrieve the required data. Please also create C:\Temp\Data folder on the computer where you run the script. The Data folder will contain the CSV that contains the mailbox data.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following operations:

  • Imports the PowerShell modules required to connect to Office 365 Exchange Online.
  • Provides login prompt to connect to Exchange Online.
  • Collects mailbox items from Office 365.
  • Checks total mailboxes and how many mailboxes have not been enabled with auditing.
  • Provides a data file that contains the list of mailboxes that do not have auditing enabled.
  • Provides the percentage of mailboxes that do not have auditing enabled.
  • Provides severity based on the percentage score.

PowerShell script for checking mailbox auditing status

Executing the PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\TestResult.CSV and the data file can be found under C:\Temp\Data folder. You need to provide the Office 365 connect credentials.

$CurrentLoc="C:\Temp\"
$UniqueTest="EXCH"
$TestCSVFile="C:\Temp\TestResult.CSV"
Remove-Item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString="Total Mailbox, Total Mailbox Auditing Enabled, Total Mailbox Without Mailbox Auditing, Percentage, Data File"
Add-Content "$TestCSVFile" $ThisString
$DataFileLocation=$CurrentLoc+"\Data\"+$UniqueTest+"_DATA.CSV"
Remove-Item $DataFileLocation -ErrorAction SilentlyContinue
$AllItems = Get-Mailbox
$AllItemsCount = $AllItems.Count
$TotNot = 0
$TotYes = 0
$TotPercentage = 0
$TotNotItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $false}
$TotNotCount = $TotNotItems.Name.Count
$TotYesItems = Get-Mailbox | Select-Object Name, Database, AuditEnabled,RecipientTypeDetails | Where-Object {$_.AuditEnabled -eq $true}
$TotYesCount = $TotYesItems.Name.Count
$TotNotCount
$TotYesCount
$TotPercentage=($TotNotCount/$AllItemsCount)*100
$ValSTR = $AllItemsCount.ToString()+","+$TotYesCount.ToString()+","+$TotNotCount.ToString()+","+$TotPercentage.ToString()+","+$DataFileLocation
Add-Content "$TestCSVFile" $ValSTR
$TotNotItems | Export-CSV $DataFileLocation -NoTypeInformation
IF ($TotNotCount -ne 0)
{
IF ($TotPercentage -gt 15)
{
$SumVal = ""
$TestStatus="High"
$TestText="HIGH ISSUE"
}
else
{
$SumVal = ""
$TestStatus="Medium"
$TestText="MEDIUM ISSUE"
}
}
else
{
$SumVal = ""
$TestStatus="Passed"
$TestText = "PASSED ITEMS"
}
$AllItemsCount
$TotYesCount
$TotNotCount
$TotPercentage
$TestStatus

Once this PowerShell script has finished executing, you will see two CSV files; C:\Temp\TestResult.CSV and C:\Temp\Data\EXCH_Data.CSV. The C:\Temp\TestResult.CSV contains the overall status of the mailbox items that it retrieved and C:\Temp\Data\EXCH_Data.CSV file contains the actual mailbox details that do not have the mailbox auditing enabled. As you can see in the screenshot below, which is taken from O365 IT Health & Risk Scanner, after executing the PowerShell script it lists the total mailboxes in Office 365 Exchange Online, total mailboxes that have auditing enabled, and total mailboxes that do not have auditing enabled.

mailbox auditing

If you open the C:\Temp\Data\EXCH_Data.CSV file you can actually see the mailboxes that do not have audited enabled as shown in the screenshot below:

As you can see in the above screenshot, User1, User2, and User3 do not have mailbox auditing enabled and it needs to be addressed ASAP. You must have noticed that since the auditing is not applicable for mailboxes other than usermailbox, it did not count those mailboxes in the C:\Temp\TestResult.CSV file.

The above script was retrieved from O365 IT Health & Risk Scanner, which can perform about 97 checks in Office 365 to ensure your Office 365 services are healthy and your organization is meeting the compliance standards.

Featured image: Pixabay

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top