Exchange 2013 Mailbox auditing: Limitations on auditing message reads (cannot audit 'messagebind' accesses)

Back in Exchange 2007, upon relase of SP2 mailbox auditing was made available. Similar to past Exchange versions, it was handled through diagnostics logging. It was set at the server level, and sent the audit log entries to the event log. Configuration was handled through the EMC or Exchange registry keys.
Fast forward to Exchange 2010, and continued in 2013 & 2016 the mailbox logging is handled differently. It is set on a per mailbox basis, and the audit log entries are saved as part of the users mailbox stored in a folder called ‘audits’ located within their recoverable items folder. Architecturally this is much better than using the Event Logs for both storing and retrieving audit data. Also, the auditing configuration is now separated into three 'login type' categories; admin, owner, and delegate.

The limitation that I bumped into recently is that it does not for allow auditing message 'reads' for users (owner & delegate). It will only allow auditing message 'read' access via Exchange system processes (admin).

Enabling mailbox auditing
Mailbox auditing is enabled using the set-mailbox command with the 'auditenabled' property to true. The following will set the auditing and use the default auditing settings.

Set-Mailbox -Identity "<Mailbox>" -AuditEnabled $true

Specific audit settings can be configured as well. Here are some examples setting auditing for each of the three login types.

Set-Mailbox -Identity "<Mailbox>" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true
Set-Mailbox -Identity "<Mailbox>" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true
Set-Mailbox -Identity "<Mailbox>" -AuditOwner HardDelete -AuditEnabled $true

It is important to understand what each login type covers:

The Owner audit settings applies to what the mailbox user accesses
The Delegate audit settings applied to what any other user accesses
The Admin audit settings apply to access via Exchange mechanisms such as eDiscovery searches, mailbox import/export operations, or tools such as MFCMAPI.

If you wanted to configure message reads for auditing by users you might think to try to set 'messagebind' auditing on either the owner, or delegate. If you try this it will fail with a powershell error indicating it is not a supported audit operation.

The table below identifies what can be audited for each of the three login type categories. As you can see neither 'messagebind' or 'copy' are available to be audited except by the admin login type.

Action	Description	Admin	Delegate***	Owner
Copy	An item is copied to another folder.	Yes	No	No
Create	An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited.	Yes*	Yes*	Yes
FolderBind	A mailbox folder is accessed.	Yes*	Yes**	No
HardDelete	An item is deleted permanently from the Recoverable Items folder.	Yes*	Yes*	Yes
MailboxLogin	The user signed in to their mailbox.	No	No	Yes
MessageBind	An item is accessed in the reading pane or opened.	Yes	No	No
Move	An item is moved to another folder.	Yes*	Yes	Yes
MoveToDeletedItems	An item is moved to the Deleted Items folder.	Yes*	Yes	Yes
SendAs	A message is sent using Send As permissions.	Yes*	Yes*	No
SendOnBehalf	A message is sent using Send on Behalf permissions.	Yes*	Yes	No
SoftDelete	An item is deleted from the Deleted Items folder.	Yes*	Yes*	Yes
Update	An item's properties are updated.	Yes*	Yes*	Yes

* Audited by default if auditing is enabled for a mailbox.
** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.
*** An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

Ref: https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx