Exchange 2013 Mailbox auditing: Limitations on auditing message reads (cannot audit 'messagebind' accesses)


Back in Exchange 2007, upon relase of SP2 mailbox auditing was made available.  Similar to past Exchange versions, it was handled through diagnostics logging.  It was set at the server level, and sent the audit log entries to the event log.  Configuration was handled through the EMC or Exchange registry keys. 
Fast forward to Exchange 2010, and continued in 2013 & 2016 the mailbox logging is handled differently.  It is set on a per mailbox basis, and the audit log entries are saved as part of the users mailbox stored in a folder called ‘audits’ located within their recoverable items folder.  Architecturally this is much better than using the Event Logs for both storing and retrieving audit data.  Also, the auditing configuration is now separated into three 'login type' categories; admin, owner, and delegate. 

The limitation that I bumped into recently is that it does not for allow auditing message 'reads' for users (owner & delegate).  It will only allow auditing message 'read' access via Exchange system processes (admin).

Enabling mailbox auditing
Mailbox auditing is enabled using the set-mailbox command with the 'auditenabled' property to true.  The following will set the auditing and use the default auditing settings.

Set-Mailbox -Identity "<Mailbox>" -AuditEnabled $true


Specific audit settings can be configured as well.   Here are some examples setting auditing for each of the three login types.

Set-Mailbox -Identity "<Mailbox>" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true
Set-Mailbox -Identity "<Mailbox>" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true
Set-Mailbox -Identity "<Mailbox>" -AuditOwner HardDelete -AuditEnabled $true


It is important to understand what each login type covers:

If you wanted to configure message reads for auditing by users you might think to try to set 'messagebind' auditing on either the owner, or delegate.  If you try this it will fail with a powershell error indicating it is not a supported audit operation.

The table below identifies what can be audited for each of the three login type categories.  As you can see neither 'messagebind' or 'copy' are available to be audited except by the admin login type. 



Action

Description

Admin

Delegate***

Owner

Copy

An item is copied to another folder.

Yes

No

No

Create

An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited.

Yes*

Yes*

Yes

FolderBind

A mailbox folder is accessed.

Yes*

Yes**

No

HardDelete

An item is deleted permanently from the Recoverable Items folder.

Yes*

Yes*

Yes

MailboxLogin

The user signed in to their mailbox.

No

No

Yes

MessageBind

An item is accessed in the reading pane or opened.

Yes

No

No

Move

An item is moved to another folder.

Yes*

Yes

Yes

MoveToDeletedItems

An item is moved to the Deleted Items folder.

Yes*

Yes

Yes

SendAs

A message is sent using Send As permissions.

Yes*

Yes*

No

SendOnBehalf

A message is sent using Send on Behalf permissions.

Yes*

Yes

No

SoftDelete

An item is deleted from the Deleted Items folder.

Yes*

Yes*

Yes

Update

An item's properties are updated.

Yes*

Yes*

Yes



* Audited by default if auditing is enabled for a mailbox.
** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.
*** An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

Ref:  https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx