Exchange audit folder moves

ChrisMKV 6 Reputation points
2022-04-04T14:41:38.33+00:00

After doing some research, it seems that Mailbox Auditing doesn't log folder moves. Not the folder itself, nor any of the items contained.

Seems to me that is a huge oversight, as it means it's very easy to defeat auditing if there is a retention policy on deleted items: Simply move an entire folder into deleted items (not audited), where they're eventually expired by the retention policy.

Sadly this means the Audit log can't be a reliable way to get proof of what happened in a Mailbox. Is anyone aware of eventual workarounds or plans from Microsoft to enable this?

Thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,427 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP
    2022-04-04T16:49:32.437+00:00

    "Move" is one of the available operations for audit. It is not however enabled by default, so you need to add that first. As in:

    Set-Mailbox vasil -AuditDelegate @{add="Move"}  
    

    Refer to the documentation for more details: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019#mailbox-actions-logged-by-mailbox-audit-logging

    1 person found this answer helpful.