Query on Audit logs.

Question

.Hi All,

I am reviewing mailbox audit logging settings in Exchange Online for the following sign-in types:

Admin Mailbox

Delegate Mailbox

Owner Mailbox

As per security recommendations, audit logging should include the following actions:

Admin Mailbox:
ApplyRecord,Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules

Delegate Mailbox:
ApplyRecord, Create,HardDelete,MailItemsAccessed,MoveToDeletedItems,SendAs,SendOnBehalf, SoftDelete,Update,UpdateFolderPermissions,UpdateInboxRules.

Owner Mailbox:
ApplyRecord,HardDelete,MailItemsAccessed,MoveToDeletedItems,SoftDelete,Update, UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules.

I have a few questions:

1. How can I retrieve all relevant mailboxes/users for each category (Admin, Delegate, Owner)?
2. If I enable all recommended audit actions, especially high-volume actions like MailItemsAccessed, will this significantly increase the audit log volume?
3. Will enabling these settings generate a large volume of logs, and could this have any noticeable impact on end-user experience?
4. Will enabling these settings have any performance impact, such as:
   • Increased mailbox latency
   • Impact on Exchange Online performance
   • Throttling or delays when running audit searches (e.g., Search-UnifiedAuditLog)
   • Any performance impact on Outlook or other Microsoft applications accessing the mailbox
   Any guidance or best practices would be appreciated. Please let me know if I am missing anything.

Answer 1

1. Retrieving mailboxes and current audit actions

Use Exchange Online PowerShell to see which mailbox actions are currently audited per sign-in type.

Connect first (for example, with Connect-ExchangeOnline). Then:

• Owner actions on a mailbox:

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditOwner

• Delegate actions on a mailbox:

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditDelegate

• Admin actions on a mailbox:

Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditAdmin

To list all user/shared mailboxes and see which actions are configured per sign-in type:

Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited |
  Select-Object DisplayName,PrimarySmtpAddress,AuditOwner,AuditDelegate,AuditAdmin

To understand whether a mailbox is still using Microsoft-managed defaults or has been customized, check DefaultAuditSet as described in the mailbox auditing article. A value of Owner means only owner actions are defaulted; a blank value means all three sign-in types (Admin, Delegate, Owner) have been customized.

2. Impact of enabling more actions (including MailItemsAccessed) on log volume

Mailbox audit logging entries are retained in the mailbox for 90 days. Adding more audited actions, especially high-frequency ones such as MailItemsAccessed, will increase the number of audit events generated and therefore the volume of audit data stored and returned in searches.

From the shared mailbox investigation guidance, operations such as SoftDelete, HardDelete, MoveToDeletedItems, Move, SendAs, and MailItemsAccessed are all common, user-driven actions and can appear frequently in audit searches:

• Deletions: SoftDelete, HardDelete, MoveToDeletedItems
• Moves: Move, MoveToDeletedItems
• Access: MailItemsAccessed (E5 required)
• Send operations: SendAs, SendOnBehalf, Send

Enabling MailItemsAccessed in particular will increase log volume because it records item access, not just changes.

3. Will this generate a large volume of logs and affect user experience?

The documentation and examples focus on how to search and interpret the additional events (for example, using Search-UnifiedAuditLog with -Operations SoftDelete,HardDelete,MoveToDeletedItems or Move,MoveToDeletedItems, or SendAs) and do not indicate any negative end-user experience from enabling these audit actions.

Mailbox audit logging is on by default for all organizations, and Microsoft manages the default audited actions and automatically adds new actions over time. This design is intended to provide comprehensive auditing without requiring tenant-level performance tuning by admins.

4. Performance impact considerations

Within the provided guidance, there is no stated negative impact on:

• Mailbox latency
• Overall Exchange Online performance
• Outlook or other client performance
• Throttling beyond the normal limits when running Search-UnifiedAuditLog

Instead, the focus is on:

• How to customize which actions are audited per sign-in type using Set-Mailbox (for example, AuditAdmin, AuditDelegate, AuditOwner).
• How to investigate activity efficiently using targeted searches (for example, filtering by -Operations, -FreeText, -UserIds, and -ResultSize).

Examples:

• Deleted items in a shared mailbox:

Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 \
  -FreeText <******@domain.com> \
  -Operations SoftDelete,HardDelete,MoveToDeletedItems -ResultSize 500

• Sent-as activity:

Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 \
  -UserIds <user1,user2> \
  -FreeText <******@domain.com> \
  -Operations SendAs -ResultSize 500

• Folder browsing (FolderBind) when enabled on delegates:

Get-Mailbox <******@domain.com> | Select AuditDelegate |
  Where-Object {$_.AuditDelegate -contains "FolderBind"}

Set-Mailbox <******@domain.com> -AuditDelegate @{Add="FolderBind"}

Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 \
  -FreeText <******@domain.com> \
  -Operations FolderBind -ResultSize 500

These patterns show that the recommended way to handle higher event volume is to:

• Scope searches by mailbox (-FreeText), user (-UserIds), operations (-Operations), and time window (-StartDate, -EndDate).
• Limit result size (-ResultSize) to keep queries efficient.

No explicit performance degradation for clients or Exchange Online is documented when enabling the listed actions; mailbox auditing with these operations is treated as a standard, supported configuration.

5. Best-practice alignment

Based on the mailbox auditing and shared mailbox investigation guidance:

• Use Microsoft-managed defaults unless there is a clear requirement to customize.
• When customizing, explicitly set AuditAdmin, AuditDelegate, and AuditOwner to include the required actions (such as SoftDelete, HardDelete, MoveToDeletedItems, Move, SendAs, SendOnBehalf, MailItemsAccessed, UpdateFolderPermissions, UpdateInboxRules, etc.).
• Regularly review which actions are configured using the Get-Mailbox queries above.
• Use focused Search-UnifiedAuditLog queries and appropriate -ResultSize limits to manage the volume of returned data.

---

References:

• Use mailbox audit logs in Microsoft 365
• Manage mailbox auditing
• Investigate shared mailbox activities using audit logs
• How to investigate shared mailbox activities
• Quick reference
• Audit log activities

Answer 2

Hi Glenn Maxwell

Based on your description, I understand that you are reviewing and planning to enforce recommended mailbox audit logging settings in Exchange Online across three logon types (Admin, Delegate, and Owner), and you have questions about how to identify the relevant mailboxes, the impact on audit log volume. I have conducted some research, and the following information might help you.

1. How to Retrieve Mailboxes by Logon Type

It is important to clarify that Admin, Delegate, and Owner are not fixed mailbox categories - they refer to logon types, meaning who performed the action on a mailbox. A single mailbox can generate audit events under all three types.

Admin logon type covers actions performed by an administrator on another user's mailbox:

Get-RoleGroupMember "Organization Management"
Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, UserPrincipalName, AuditAdmin, AuditEnabled

Delegate logon type covers users with Full Access, Send As, or Send on Behalf permissions:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission |
  Where-Object { $_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false }
Get-RecipientPermission -ResultSize Unlimited |
  Where-Object { $_.AccessRights -eq "SendAs" -and $_.Trustee -ne "NT AUTHORITY\SELF" }

Owner logon type applies to all mailboxes (every user accessing their own mailbox).

Reference: Manage mailbox auditing

2. Will This Significantly Increase Audit Log Volume?

Yes, and MailItemsAccessed is the primary driver. It fires on every mail read or sync event across Outlook, OWA, and mobile clients. Microsoft applies aggregation for sync-based events within a 24-hour window, but interactive reads are logged individually. The remaining actions (HardDelete, SoftDelete, UpdateInboxRules, etc.) are relatively low-frequency. In an active organization, enabling MailItemsAccessed org-wide can substantially increase total audit log volume.

Reference: MailItemsAccessed mailbox auditing

3. Will This Impact End-User Experience?

My answer is NO. Audit logging is fully asynchronous and writes to a separate pipeline independent of mailbox operations. End users will experience no noticeable change.

4. Performance Considerations

• Mailbox latency / Exchange Online performance: No measurable impact. The audit pipeline is asynchronous and managed by Microsoft infrastructure.
• Outlook and other clients: No impact. The process is entirely server-side.
• Search-UnifiedAuditLog performance: This is the most relevant concern. Higher log volume means searches over large timeframes will take longer and may hit throttling. Best practices: always scope queries with -StartDate, -EndDate, -UserIds, and -RecordType. For large-scale investigations, prefer New-ComplianceSearch / Start-ComplianceSearch via Microsoft Purview, which handles throttling more gracefully.

Reference: Search-UnifiedAuditLog

Hope my answer will help you.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.