This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 46%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
hi ,
we know search-mailbox can query the email by some criteria.
and a admin (discover admin) able to search any user's mailbox and export those email to his mailbox.
we wanna know can we log that action? do microsoft have log that down? and can we able to set some alerts if someone execute search-mailbox ?
thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Jerry Su ,
For the question you posted:
1.The admin audit log could record information about run “Search-Mailbox”, include who run the cmdlet, when run the cmdlet ,modify who and so on. The admin audit log is enable by default.
2.We couldn’t set the alerts if someone execute search-mailbox, but the “Search-Mailbox” is available only in the Mailbox Search or Mailbox Import Export roles, and these roles aren’t assigned to any role groups by default. If you want to using this cmdlet, you need to add one or both of the roles to a role group. So if you don’t want someone to running “Search-Mailbox”, don't assign the role to that user.
For the question about Search-AdminAuditLog:
1.Please run the following command to view the settings of Admin Audit Log, especially the “AdminAuditLogEnabled” and “AdminAuditLogAgeLimit”.
Get-AdminAuditLogConfig
2.Please make sure the account have the correct permission, then you also could create a new user mailbox, the add this user to Records Management Role and Organization Management Role, then run the “Search-AdminAuditLog” command with this user account for a test and see if there have result.
3.Please run the following command to view whether the arbitration mailbox named SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} exists.
Get-mailbox –arbitration
In addition, this phenomenon is a known issue in Exchange 2016, please refer to the following link to fix it: Empty results are returned when you run Search-AdminAuditLog or Search-MailboxAuditLog with a parameter in Exchange Server
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
thanks,
point 1 :
point2 I am already in Records Management Role and Organization Management group
point3 got error:
my bad, the arbitration mailbox shows as below
Hi @Jerry Su ,
Thanks for the information you provided.
What’s the environment of the Exchange server? Only one Exchange server 2016 or exist another Exchange server.
1.For your first screenshot, the settings are correct, but there is a strange value that the time of the "When Changed" and "When Created" parameters are both in 2011. Please run the following command to disable admin audit log, then enable it again.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $false
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
2.You could create a new user and assign the right permission, then run the command to view the admin audit log. To rule out account problems.
3.Did you try the methods in the link I provide before? The following is one of the methods
1)Region > Administrative > Copy settings, make sure "Welcome screen and system accounts" is selected:
2)Click "Change system locale...", make sure the current system locale is set to English (United States)
3)Don't forget to restart Exchange server after making the modification.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
It's audited by default. If you are using Exchange Online, you can find the corresponding entries in the Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Or via PowerShell:
Search-UnifiedAuditLog -StartDate "2 Dec 2020" -EndDate "04 Jan 2021" -Operations "Search-Mailbox"
sorry forgot to mention. it's exchange 2016
Use the Admin audit log then.
thanks for the reply.
I used Search-AdminAuditLog and New-AdminAuditLogSearch cmdlet but no result shown. (it should shown something, since a week ago I execute the search-mailbox command)
I also checked my AdminAuditLogConfig, the AdminAuditLogCmdlets is {*}
