Entra / Microsoft 365 · Exchange Online
Update mailbox auditing
A script to update Office 365 E3 user and shared mailboxes and make sure that they are enabled for mailbox auditing.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-ExchangeOnline
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
If ($Null -eq (Get-ConnectionInformation)) {Connect-ExchangeOnline}# Connect to the Graph SDKConnect-MgGraph -Scopes User.Read.All -NoWelcome# GUID for Office 365 E3$Office365E3 = "6fd2c87f-b296-42f0-b197-1e91e994b900"$Report = [System.Collections.Generic.List[Object]]::new() # Create output file$ProgressDelta = 100/($Mbx.count); $PercentComplete = 0; $MbxNumber = 0; $SharedMailboxNumber = 0; $MbxUpdated = 0; $SharedMbxUpdatedClear-HostWrite-Host "Finding accounts (mailboxes) with Office 365 E3 licenses..."# Process mailboxes - Check Azure Active Directory to find accounts with Office 365 E3 licenses[array]$Mbx = Get-MgUser -filter "assignedLicenses/any(s:s/skuId eq $Office365E3)" -All# Loop through accounts, find if they have not been enabled by checking CustomAttribute6, and enable if neededForEach ($M in $Mbx) {$MbxNumber++$MbxStatus = $M.DisplayName + " ["+ $MbxNumber +"/" + $Mbx.Count + "]"Write-Progress -Activity "Checking mailbox" -Status $MbxStatus -PercentComplete $PercentComplete$PercentComplete += $ProgressDelta$MbxProps = (Get-ExoMailbox -Identity $M.UserPrincipalName -Properties CustomAttribute6, RecipientTypeDetails)If ($MbxProps.CustomAttribute6 -ne "Mailbox Auditing Enabled") {Set-Mailbox -Identity $M.UserPrincipalName -AuditEnabled $falseSet-Mailbox -Identity $M.UserPrincipalName -AuditEnabled $True -AuditOwner @{Add="MailItemsAccessed"} -CustomAttribute6 "Mailbox Auditing Enabled"$MbxUpdated++$ReportLine = [PSCustomObject] @{Mailbox = $M.DisplayNameUPN = $M.UserPrincipalNameDepartment = $M.DepartmentCountry = $M.CountryAuditingEnabled = "Y"MailboxType = $MbxProps.RecipientTypeDetails}$Report.Add($ReportLine) }}# Now process shared mailboxes. These don't have a license, so we fetch them from Exchange Online and check[array]$SharedMbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox -Properties CustomAttribute6 -Filter {CustomAttribute6 -eq $Null}$ProgressDelta = 100/($SharedMbx.count); $PercentComplete = 0; $MbxNumber = 0ForEach ($M in $SharedMbx) {$SharedMailboxNumber++$MbxStatus = $M.DisplayName + " ["+ $SharedMailboxNumber +"/" + $SharedMbx.Count + "]"Write-Progress -Activity "Checking shared mailbox" -Status $MbxStatus -PercentComplete $PercentComplete$PercentComplete += $ProgressDeltaIf ($M.CustomAttribute6 -ne "Mailbox Auditing Enabled") {Set-Mailbox -Identity $M.UserPrincipalName -AuditEnabled $True -CustomAttribute6 "Mailbox Auditing Enabled"$SharedMbxUpdated++$ReportLine = [PSCustomObject] @{Mailbox = $M.DisplayNameUPN = $M.UserPrincipalNameDepartment = "Shared Mailbox"AuditingEnabled = "Y"MailboxType = $M.RecipientTypeDetails}$Report.Add($ReportLine) }}Write-Host "All done!"Write-Host "---------"Write-Host ""Write-Host "Mailbox auditing enabled for Office 365 E3 mailboxes:" $MbxUpdatedWrite-Host "Mailbox auditing enabled for shared mailboxes :" $SharedMbxUpdated$Report | Out-GridView
Attribution
Author
Office365itpros