This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 0%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
After doing some research, it seems that Mailbox Auditing doesn't log folder moves. Not the folder itself, nor any of the items contained.
Seems to me that is a huge oversight, as it means it's very easy to defeat auditing if there is a retention policy on deleted items: Simply move an entire folder into deleted items (not audited), where they're eventually expired by the retention policy.
Sadly this means the Audit log can't be a reliable way to get proof of what happened in a Mailbox. Is anyone aware of eventual workarounds or plans from Microsoft to enable this?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @ChrisMKV
Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
"Move" is one of the available operations for audit. It is not however enabled by default, so you need to add that first. As in:
Set-Mailbox vasil -AuditDelegate @{add="Move"}
Refer to the documentation for more details: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019#mailbox-actions-logged-by-mailbox-audit-logging
Thank you michev, we had already enabled this and also MoveToDeletedItems (any any other audit option that can be enabled really). It's working fine for mails, but not folders or their content unfortunately. The same was now confirmed to us when we opened a support ticket by Microsoft, if a folder is moved, no audit log is generated at all.
[PS] C:\>Get-Mailbox -Identity xxx | select -ExpandProperty "AuditDelegate"
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
Create
Thanks for the sharing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 6%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
@Vasil Michev (or someone else, since it's been a while on this thread)...
This is incredibly useful. With Mailbox Auditing enabled, it appears that the defaults don't include all as you said:
>> Get-Mailbox -Identity xyz@mail..com | Select-Object -ExpandProperty AuditDelegate
which results in:
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules
ApplyRecord
While we don't need this for admins, or the mailbox owner, I think that if we could add "Move" for delegates access to being part of the default for all mailboxes with delegate access, that would be great.
I can maintain this manually, one mailbox at a time, via PowerShell, but I'd prefer to just be able to say "Hey Microsoft, for this tenant, on all mailboxes, include 'Move' in the mailbox audits." Is there a way to make this the default behavior for the tenant?
Thanks!
Neil
@Vasil Michev By chance, did you have a moment to look at this?