Exchange Online

How to Monitor Mailbox Audit Bypass Events in Exchange Online

The mailbox audit bypass feature in Exchange Online allows you to exclude specific accounts from audit logging. This is particularly useful for trusted accounts that generate a high volume of logs through routine access. While it helps reduce audit log noise, excluding the wrong accounts can result in gaps when tracking important mailbox activities. This guide explains how to track and manage mailbox audit bypass events in Microsoft 365 to ensure complete visibility.

Identify Mailbox Audit Bypass Activity Using Exchange Online PowerShell

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

Connect to the Exchange Online PowerShell using the cmdlet below.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the following cmdlet to retrieve mailbox audit bypass events in your Microsoft 365 environment.

 Windows PowerShell 
 Search -UnifiedAuditLog -StartDate "<MM/DD/YYYY>" -EndDate "<MM/DD/YYYY>" -Operations "Set-MailboxAuditBypassAssociation" |
ForEach-Object {
  $data = $_.AuditData | ConvertFrom-Json
  [pscustomobject]@{
 ModifiedAccount  = ($data.Parameters | Where { $_.Name -eq "Identity" }).Value
    AuditBypassEnabled = ($data.Parameters | Where { $_.Name -eq "AuditBypassEnabled" }).Value
    PerformedBy    = $data.UserId
    Operation     = $data.Operation
    Timestamp     = $data.CreationTime
  }
} | Format-Table -AutoSize

Replace the "<MM/DD/YYYY>" in StartDate and EndDate as per your requirement.

Identify Mailbox Audit Bypass Activity Using Exchange Online PowerShell

The output displays all mailboxes with the bypass audit setting configured to either true or false, along with details such as who performed the operation, and when it was performed, and more.

Track Mailbox Audit Bypass Events Using Microsoft Purview

Microsoft 365 Permission Required

View-Only Recipients role Least Privilege

Global Admin Most Privilege

Log in to the Microsoft Purview portal and navigate to the Solutions»Audit.
In the Activities – operation names field, enter Set-MailboxAuditBypassAssociation and under Record Types dropdown select ExchangeAdmin.
Set the Date and time range as per your requirement and hit Search to track audit bypass activities in Microsoft 365.

Track Mailbox Audit Bypass Events Using Microsoft Purview

Once the search is complete, you can view the results of mailbox audit bypass configuration activities in your tenant.

Simple & Quick
Export Mailbox Audit Bypass Changes Report Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid Microsoft 365 Reporter.
Navigate to the Mailboxes Allowed or Denied to Bypass Audit Logging report under Audit»Exchange»Mailbox Management»Bypass Audit Logging.
This report provides detailed insights into mailboxes that have been enabled or disabled for bypassing audit logging in Microsoft 365.
It includes information such as the admin who made the change, the target mailbox, the setting modification time, the updated parameters and more.

Export Mailbox Audit Bypass Changes Report Using AdminDroid

AdminDroid Exchange Online Reporter

Investigate Audit Bypassed Mailboxes in Exchange Online for Unauthorized Access

AdminDroid's Exchange Online auditing tool offers detailed insights into audit-bypassed mailboxes, which makes it easy to detect security gaps in Microsoft 365. This powerful tracking capability helps admins enforce strict auditing policies, prevent unauthorized mailbox activities, and maintain compliance.

Track Mailboxes with Owner Audit Enabled in Microsoft 365

Periodically monitor owner audit enabled mailboxes report to identify trusted accounts with high-volume usage, and consider bypassing audit logging for them to reduce log noise while maintaining effective oversight.

Get Alerts When Audit Logging is Bypassed or Revoked for a Mailbox

Get real-time alerts for changes to mailbox audit logging bypass settings using Admindroid's default alert template to tighten email security without the need for constant manual checks.

Visualize Exchange Online Mailbox Audit Settings

Use the mailbox settings dashboard to view audit settings across your tenant and verify that owner, admin, and delegate actions are properly logged to ensure compliance with organizational standards.

Audit Guest Access to User Mailboxes in Microsoft 365

Track guest access to user mailboxes, identify guest accounts with access to audit-bypassed mailboxes and maintain visibility to prevent unauthorized actions.

Identify Admin Audit Enabled Mailboxes in Exchange Online

Get a complete list of admin audit enabled mailboxes and evaluate if audit bypass can be safely applied to trusted admin accounts helping reduce excessive audit log entries without compromising audit integrity.

Stay Informed About Unified Audit Log Changes in Microsoft 365

Monitor unified audit log settings in Microsoft 365 to track when the setting is turned off and on again, and adjust the audit bypass settings if needed.

In conclusion, AdminDroid's Exchange Online management tool simplifies tracking users excluded from mailbox auditing. With advanced filtering, customization, and graphical insights, AdminDroid empowers admins to take proactive steps to enhance Microsoft 365 security.

Explore a full range of reporting options

Download Live Demo

Important Tips

Use EXOMailboxAuditBypassAssociation resource in your Microsoft365DSC to receive alerts and automatically detect any unauthorized changes to mailbox audit bypass settings.

Ensure to enable mailbox auditing for all users as recommended by Microsoft Secure Score insights to improve Exchange Online security.

Use a checklist to make mailbox auditing effective and help maintain security while reducing log noise in your Microsoft 365 organization.

Common Errors and Resolution Steps

Below are common errors and troubleshooting fixes that may occur while tracking and managing mailbox audit bypass events in Exchange Online.

Error A parameter cannot be found that matches parameter name 'AuditByPassEnabled'.

This error occurs when trying to configure audit bypass using the Set-MailboxAuditBypassAssociation cmdlet with an unsupported or incorrect parameter.

Fix Verify that you're using the correct parameter name and supported cmdlet.

Get-MailboxAuditBypassAssociation -AuditBypassEnabled $true

Error ./GetMB_NonAuditedActions.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run the GetMB_NonAuditedActions.ps1 scrip in PowerShell, but the system's execution policy prevents running unsigned scripts.

Fix To resolve this error, set the execution policy as Unrestricted before running the script as shown below.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error The specified mailbox does not exist.

This error occurs while executing the Set-MailboxAuditBypassAssociation cmdlet. It usually happens when the mailbox is deleted, moved, or an incorrect email address is specified.

Fix Verify whether the mailbox exists using the below cmdlet.

Get-Mailbox -ResultSize Unlimited

Exchange Online

Frequently Asked Questions

Strengthen Audit Log Integrity by Detecting Audit Bypassed Mailboxes in Microsoft 365

How to enable mailbox audit logging for a mailbox in Exchange Online?

How to configure mailbox audit logging bypass in Microsoft 365?

What happens when audit logging is bypassed for a mailbox?

How to customize mailbox audit logging to capture only relevant actions in Microsoft 365?

How to track all non-audited mailbox actions in Exchange Online?

1. How to enable mailbox audit logging for a mailbox in Exchange Online?

Since January 2019, Microsoft has enabled default mailbox auditing for all organizations, which allows specific actions known as default actions, to be logged for all logon types. However, activities like mailbox logins and folder bind operations aren't audited by default and require custom configuration. Also, default auditing only covers user, shared, and group mailboxes. To track activities in resource or public folder mailboxes, you must enable auditing manually.

To maintain complete visibility and meet compliance needs, keep auditing enabled for all mailboxes unless there's a valid reason to exclude one. Note that audit settings can only be managed through PowerShell, as the Microsoft 365 admin portals don't offer this option.

Enable audit logging for a mailbox using PowerShell

In order to track key actions like message deletions, moves, sends, and folder operations, you must enable mailbox audit logging. It records all activities performed by owners, delegates, and admins with details like event time and user identity. To enable auditing on a mailbox, run the below cmdlet in PowerShell.

Before executing, ensure to connect to the Exchange Online PowerShell module.

Set-Mailbox -Identity "<user@contoso.com>" -AuditEnabled $true

This enables audit logging for the specified mailbox and begins tracking actions based on the default or customized audit logging configuration.

Disable mailbox auditing for a user using PowerShell

You can disable mailbox auditing for specific accounts, such as service or test mailboxes, when audit logs are not required. This helps reduce storage usage and keeps audit data focused on relevant activity. However, to completely stop audit logging for a mailbox, tenant-level settings must also be considered, as some audit actions may still be recorded even when auditing is disabled on the mailbox.

However, proceed with caution because disabling audit logging for a mailbox means that no further activity from that mailbox will be recorded beyond the default audit actions.

To disable audit log for a mailbox, execute the following cmdlet in Exchange Online PowerShell.

Set-Mailbox -Identity "<user@contoso.com>" -AuditEnabled $false

Run the following cmdlet to confirm whether audit logging changes have been applied to a specific mailbox.

Get-Mailbox -Identity "<user@contoso.com>" | Format-List AuditEnabled

Replace <user@contoso.com> with the email address of the mailbox you want to update.

If auditing is disabled on critical mailboxes either accidentally or intentionally, it creates blind spots in your audit trail. This can prevent timely detection of policy violations, data loss, or security breaches. That's why it's crucial to view and keep track of mailboxes with auditing disabled.

To simplify this process, use AdminDroid's audit disabled mailboxes report to quickly spot mailboxes with auditing turned off and ensure nothing slips through the cracks!

This report helps to identify non-audited mailboxes by recipient type, location, license status, and more, to ensure no mailbox is overlooked.
Instantly identify when audit logging is turned off for critical mailboxes such as room mailboxes, shared mailboxes, or public folder mailboxes.

2. How to configure mailbox audit logging bypass in Microsoft 365?

Mailbox audit bypass allows you to exclude specific users from mailbox audit logging typically to reduce noise from authorized or trusted application accounts that generate high-volume, low-risk activity. Instead of disabling audit logging entirely, you can configure the mailbox for audit bypass. This disables auditing of the user's actions across all mailboxes in the tenant while still logging actions performed by others on the mailbox.

Bypass a user account from mailbox audit logging using PowerShell

To enable mailbox audit bypass for a mailbox, run the 'Set-MailboxAuditBypassAssociation' in Exchange Online PowerShell as shown below.

Set-MailboxAuditBypassAssociation –Identity "<user@contoso.com>" -AuditBypassEnabled $true

This command bypasses and stops mailbox audit logging for the specified user across all mailboxes.

Disable mailbox audit logging bypass using PowerShell

A situation may arise where you need to disable mailbox audit bypass to ensure all actions performed by a specific account are logged for security and troubleshooting purposes. For instance, if a service account with audit bypass enabled shows unusual activity, removing it from bypass ensures its actions are recorded, aiding monitoring and investigation.

To remove a user from audit bypass, run the following cmdlet.

Set-MailboxAuditBypassAssociation –Identity "<user@contoso.com>" -AuditBypassEnabled $false

Replace <user@contoso.com> with the email address of the mailbox for which you want to configure audit bypass. This will remove the audit bypass association from the mailbox.

To confirm the audit bypass association configuration for a mailbox, run the following cmdlet.

Get-MailboxAuditBypassAssociation -Identity "<user@contoso.com>" | Format-List AuditByPassEnabled 

3. What happens when audit logging is bypassed for a mailbox?

When audit logging is bypassed for a user, all mailbox actions performed by that user will no longer be captured in the audit logs. This reduction in audit data can impact visibility into mailbox activities, depending on how and to whom the bypass is applied. So, let's take a closer look at what happens when audit logging is bypassed in detail.

Exclusion applies only to the specified Exchange Online mailbox account

When audit bypass is enabled for a user, their mailbox activities are excluded from audit logging. This means that:

Actions the bypassed user performs on their own mailbox as the owner will not be logged.
Any delegate actions they carry out on other users' or shared mailboxes are excluded from logging.
Administrative actions performed by the bypassed user will also not appear in the audit logs.

However, actions performed by other users or admins on the bypassed user's mailbox will still be recorded in the audit logs.

Potential security impact of using the mailbox audit bypass association

The user's actions are excluded across the Exchange Online, creating a blind spot in audit logs. This lack of visibility can be exploited by insider threats or external attackers who compromise the bypassed account.
If a security breach involves the user's credentials, their activities won't be captured in the audit trail, thus complicating forensic investigations and leaving gaps in incident analysis.

Note: Organizations with strict compliance requirements should use audit bypass cautiously. Applying it to high-risk accounts such as executives or privileged users can create regulatory gaps and weaken security oversight.

4. How to customize mailbox audit logging to capture only relevant actions in Microsoft 365?

Instead of completely enabling or disabling mailbox audit logging for a mailbox, you can configure mailbox auditing it to capture only the actions that matter to your organization. Focusing on specific action types or specific logon types helps reduce audit clutter and makes your logs more relevant.

Below are various ways to configure mailbox auditing using PowerShell.

1. Configure mailbox audit logging for a specific logon type in Microsoft 365

You can specify actions to audit for each logon type such as Owner, Admin, or Delegate. For example, if you want to audit specific actions performed by delegate users on a mailbox, you can do so using the below cmdlet.

Ensure you connect to the Exchange Online PowerShell module before proceeding.

Set-Mailbox –Identity "<user@contoso.com>" –AuditDelegate SendAs,SendOnBehalf –AuditEnabled $true

This command ensures that SendAs and SendOnBehalf actions performed by delegate users on the mailbox of user@contoso.com are only logged. Replace <user@contoso.com> with the email address of the mailbox you want to configure.

2. Enable audit logging for targeted mailbox actions for all logon types

You can specify which actions to log such as Copy, FolderBind, HardDelete, SoftDelete, etc. Before executing, ensure to connect to Exchange Online PowerShell module.

Set-Mailbox –Identity "<user@contoso.com>" –AuditDelegate HardDelete,SoftDelete –AuditAdmin HardDelete,SoftDelete –AuditOwner HardDelete,SoftDelete –AuditEnabled $true

This command enables the Exchange Online to only log the HardDelete and SoftDelete actions performed by the owner, admin, and delegate on the particular mailbox. By specifying these actions under each logon type parameter, you ensure that those actions are captured in audit logs.

3. Append new actions without overwriting existing lists in Exchange Online

If you try to add actions to the existing audit settings by running the Set-Mailbox cmdlet as specified above, it will overwrite the previous configuration instead of appending to it.

To properly add new actions without losing existing ones, execute the below PowerShell cmdlet including the new actions.

Set-Mailbox –Identity "<admin@contoso.com>" –AuditDelegate @{Add=SendAs,SendOnBehalf}

Similarly, to remove specific actions from the existing audit settings without wiping the full configuration, use the below PowerShell cmdlet.

Set-Mailbox –Identity "<admin@contoso.com>" –AuditDelegate @{Remove=SendAs,SendOnBehalf}

5. How to track all non-audited mailbox actions in Exchange Online?

Mailbox auditing plays a crucial role in identifying unauthorized access and safeguarding sensitive information in Exchange Online. While Microsoft has enabled auditing by default, not every mailbox action across admin, owner, and delegate logon types is audited. This inconsistency makes it difficult to determine which actions are being tracked and which are slipping through the cracks.

Since there is no built-in portal view or single PowerShell cmdlet to retrieve all non-audited mailbox actions in Exchange Online, identifying audit gaps can be challenging. To eliminate this lack of clarity, we have developed a PowerShell script that highlights mailbox actions not currently being audited.

Download and run the following script in the Administrator PowerShell.

GetMB_NonAuditedActions.ps1

script-output-mailboxes-non-auditing-actions

The report provides key details such as:

Displays non-audited actions for owner, admin, and delegate roles across each mailbox.
Detects mailboxes with audit bypass enabled, revealing potential logging blind spots.
Shows the DefaultAuditSet values to verify if auditing has been customized or left unchanged.