ENow Blog | M365 - Exchange Online Center

Auditing and Reporting for Office 365

Written by Nathan O'Bryan MCSM | May 10, 2016 7:30:38 PM
Moving to Office 365 means a pretty big adjustment. Administrators who were used to doing things one way are going to have to make adjustments as their organizations migrate their infrastructure into Office 365. One of the areas where new Office 365 administrators often feel most in the dark about is changes in their environment.

I recently did a webinar for ENow. The webinar was mostly demos of PowerShell commands you can use to get auditing and reporting data in your Office 365 tenant. In this blog post, I’m going to focus on providing those PowerShell commands so that you can use “follow along” in your Office 365 tenant.

I’ve divided this blog post up into sections. Each section focuses on a series of related tasks you can accomplish with PowerShell commands in your Office 365 tenant.

Enabling Mailbox Auditing

Mailbox auditing is not turned on by default in Office 365. The first thing we’re going to want to know is the status of mailbox auditing for our mailboxes. Once you understand whose mailbox is being audited for what, turning on mailbox auditing is a simple Set-Mailbox command to turn on mailbox auditing. Though the use of the pipeline, a Get-Mailbox can be used to turn on mailbox auditing for all mailboxes.

Get-Mailbox Nathan | Format-List Audit*

Get-Mailbox Nathan | Select -ExpandProperty AuditAdmin

Get-Mailbox Nathan | Select -ExpandProperty AuditOwner

Get-Mailbox Nathan | Select -ExpandProperty AuditDelegate

Get-Mailbox | Format-Table Name, AuditEnabled -AutoSize

Get-Mailbox | Where-Object {$_.AuditEnabled -Eq "True"} | Format-Table Name, AuditEnabled -AutoSize

Get-Mailbox | Where-Object {$_.AuditEnabled -Ne "True"} | Format-Table Name, AuditEnabled -AutoSize

Set-Mailbox –Identity Joe –AuditEnabled $True

Get-Mailbox | Where-Object {$_.AuditEnabled -Ne "True"} | Set-Mailbox -AuditEnabled $True

Configuring Mailbox Auditing

Once you have mailbox auditing turned on, there is still some configuration to do. A list of the default items that are audited can be found on TechNet, but you can change those settings to match your organization’s needs.

Additionally, you can control the length of time audit items are retained. Items can be kept for a maximum time of nearly 68 years. It’s important to remember that those audit items are stored in the user’s mailbox, and will count against their mailbox size limit. If you need to free up space, setting the retention period to a shorter (or zero) retention time and forcing the managed folder assistant to run on that mailbox will free up space immediately.

Set-Mailbox –Identity Joe -AuditAdmin None –AuditDelegate None -AuditOwner None

Get-Mailbox Joe | Format-List Audit*

Set-Mailbox -Identity Joe -AuditDelegate Create, FolderBind, HardDelete, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update

Set-Mailbox –Identity Joe –AuditEnabled $False

Get-Mailbox Joe | Format-List Audit*

Set-Mailbox Joe -AuditLogAgeLimit 24855.03:14:07

Get-Mailbox Joe | Format-List Audit*

Get-MailboxFolderStatistics Nathan | Where-Object {$_.Name -eq "Audits"} | Format-Table Name, ItemsInFolder, FolderSize -AutoSize

Set-Mailbox Joe -AuditLogAgeLimit 00:00:00

Start-ManagedFolderAssistant Joe

Get-MailboxFolderStatistics Joe | Where-Object {$_.Name -eq "Audits"} | Format-Table Name, ItemsInFolder, FolderSize -AutoSize

Searching the Mailbox Audit Log

Enabled and configured is the way to get data into your mailbox audit log, but eventually you’re going to want to get data out too. PowerShell can allow you to configure some pretty powerful mailbox audit log searches. If you need to know who deleted what, and when they did it the answer is only a single command away.

Search-MailboxAuditLog Nathan -ShowDetails

Search-MailboxAuditLog Nathan -ShowDetails -ResultSize 10 | Format-Table Operation, OperationResult, LogonType, LastAccessed -AutoSize

Search-MailboxAuditLog Nathan -ShowDetails -StartDate 04/10/2016 -EndDate 04/12/2016 | Where-Object {$_.Operation -Eq "MoveToDeletedItems" -Or $_.Operation -Eq "HardDelete" -Or $_.Operation -Eq "SoftDelete"-And $_.FolderPathName -Eq "\Inbox"} | Format-Table Operation, OperationResult, LogonType, LastAccessed, FolderPathName, SourceItemSubjectsList  -AutoSize

New-MailboxAuditLogSearch -Name "Demo Search Mailbox" -Mailboxes Nathan -ShowDetails -LogonTypes Delegate -StartDate 4/6/2016 -EndDate 4/7/2016 -StatusMailRecipients Nathan@MCSMLab.com

Get-AuditLogSearch

Get-AdminAuditLogConfig

Search-AdminAuditLog -Cmdlets Set-* | Format-Table CmdletName, Caller, RunDate, Succeeded -AutoSize

Search-AdminAuditLog –StartDate 04/01/2016 –EndDate 04/10/2016 –ExternalAccess $True | Out-GridView

Search-AdminAuditLog –StartDate 04/01/2016 –EndDate 04/10/2016 –ExternalAccess $True | Sort CmdletName | Group CmdletName | Format-Table Count, Name

New-AdminAuditLogSearch -Name "Demo Search Admin" -StartDate 1/1/2016 -EndDate 4/7/2016 -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota -StatusMailRecipients Nathan@MCSMLab.com

Get-AuditLogSearch

Searching the Unified Audit Log

Office 365 is more than just Exchange. While SharePoint and OneDrive for Business are not themselves able to provide the level of auditing you can find in Exchange, Microsoft has enabled a unified audit log based on Exchange that has the ability to audit actions against files stored in SharePoint and OneDrive for Business sites.

The unified audit log must be enabled from the Office 365 Security & Compliance center, but once that is done you’ll have access to all kinds of information about what is going on with your files within Office 365.

Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ResultSize 1

$Output = Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ResultSize 1

$Results = ConvertFrom-Json -InputObject $Output.AuditData

$Results

Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType SharePointFileOperation -ObjectIds "5-4 Auditing and Reporting for Office 365.pptx" | Where-Object {$_.Operations -Eq "FileModified"} | Format-Table UserIds, Operations, CreationDate -AutoSize

Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType AzureActiveDirectory | Format-Table CreationDate, Operations, UserIds -AutoSize

Search-UnifiedAuditLog -StartDate 4/1/2016 -EndDate 4/10/2016 -RecordType AzureActiveDirectoryAccountLogon | Format-Table CreationDate, Operations, UserIds -AutoSize

The Reporting Web Service

The Office 365 Reporting web service is a set of canned reports that can give you different sets of usage information for your Office 365 tenant. If you need to figure out how much spam your organization is receiving, or how your Skype for Business conference service is being used.

There are web based reports available. You can find a list of them on MSDN. Below I have a list of PowerShell commands that you can use within an Exchange Online PowerShell session to gather usage information about your Office 365 tenant.

Get-MxRecordReport -Domain mcsmlab.com

Get-OutboundConnectorReport -Domain mcsmlab.com

Get-MessageTrace -SenderAddress nathan@mcsmlab.com -StartDate 05/2/2016 -EndDate 05/4

Get-MailTrafficSummaryReport -Category TopMailSender -StartDate 01/1/2016 -EndDate 01/30/2016

Get-MailTrafficSummaryReport -Category TopSpamRecipient -StartDate 01/1/2016 -EndDate 01/30/2016

Get-StaleMailboxDetailReport | Sort username -Unique | Format-Table TenantName, UserName, WindowsLiveID, LastLogin, DaysInactive

Get-ConnectionByClientTypeDetailReport -StartDate 04/1/2016 -EndDate 04/10/2016

Get-CsConferenceReport -ReportType Monthly -StartDate 01/01/2016 -EndDate 01/31/2016

Get-CsAVConferenceTimeReport -ReportType Monthly -StartDate 01/01/2016 -EndDate 01/31/2016

Security & Compliance Center

Microsoft has recently added the Security & Compliance Center to Office 365. This is a portal that is intended to give administrators a central place for security and compliance functionality across all the Office 365 applications. While that goal has not yet been meet, there is still good reporting information available here.

The Security & Compliance Center has its own separate PowerShell connection URI. You can find instructions for how to connect to this PowerShell URI in TechNet.

Get-Command -Module  tmp_vjigxxwl.faa

Get-DeviceConfigurationPolicy | Format-Table Name, CreatedBy, DistributionStatusget-mail

Get-HoldCompliancePolicy

Get-eDiscoveryCaseAdmin

Get-ComplianceSearch | Format-Table

Get-ComplianceSearch -Identity "Test Search" | Format-Table Name, CreatedTime, Items, Size

Get-ComplianceSearch -Identity "Specific Job" | Format-Table Name, CreatedTime, Items, Size

New-ComplianceSearchAction -SearchName "Specific Job" -Purge -PurgeType SoftDelete

Get-ComplianceSearchAction | Format-Table SearchName, JobStartTime, JobProgress, Status

Wrapping it up

Of course the ways in which you can use PowerShell to gather information about your Office 365 tenant and what is going on there are nearly infinite. Flexibility is PowerShell’s greatest strength. Hopefully this blog post, and the associated webinar, give you a good start down the road of figuring out how to meeting your organizations auditing and reporting needs in Office 365 with PowerShell. If you have any questions, feel free to post them below or reach out to me on Twitter @MCSMLab.