How to run a Non-owner mailbox access report in Exchange server/Office365 for audit purposes.

First select the mailboxes you want to enable auditing.

Note: To run non-owner Mailbox access report . Auditing has to be enabled in advance to capture the behaviour of the user mailboxes.

Get-Mailbox *careexchange.in | Set-Mailbox -AuditEnabled:$true

Logging into EAC (Exchange Admin Center) – Compliance Management – Auditing

Click on Run a owner mailbox access report.

Choose the mailboxes you want to audit –

Click on Search. Now you can see if any unauthorised access has been made. it will be showing up .

In my case – Archiving server is using a impersonated account to pull all the email items from the mailboxes.

Now to export the same report you need to do few changes in attachment settings as report is generated in the form of XML which is blocked by default.

To see the Allowed Files list –

Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes | export-csv C:\Extensions.txt

To see the Blocked Files list –

Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes | export-csv C:\BlockedExtensions.txt

If export-csv doesn’t work After Allowedfiletypes use >C:\Extensions.txt

Opening the Blockedextensions.txt i could see the .xml

Checking Which is the OWA maibox policy assigned on the mailboxes where it needs to receive the report.

Get-CASMailbox Testuser* | Fl *owa*

Now i got the owamailboxpolicy name.

Adding the .xml in the allowed file types –

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}

Removing the .xml from the allowed file types –

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}

Now you can receive the Auditing report as below –

These logs are stored in the dumpster of the mailbox itself. so it will be archived after 90 days as a default retention limit.