Missing Update Operations in Shared Mailbox Audit Logs

Question

Missing Update Operations in Shared Mailbox Audit Logs

Rafal Aleksandrzak 20

Issue: I have enabled audit logging for a shared mailbox in Exchange Online. The audit settings are configured to log various operations, including Update. However, I am not seeing any Update operations in the audit logs, even though I am certain that such operations have been performed since mails have been marked as read, flagged etc..

Current Audit Settings:

AuditEnabled: True
AuditAdmin: {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate: {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditOwner: {Update, MoveToDeletedItems, SoftDelete, HardDelete...}

Steps Taken:

Verified that audit logging is enabled for the shared mailbox.
Checked the audit settings to ensure Update is included.

Searched the audit logs using the following PowerShell command:

   Search-MailboxAuditLog -Identity "SharedMailboxName" -LogonTypes Admin, Delegate, Owner -Operations Update -StartDate "StartDate" -EndDate "EndDate" -ShowDetails

Audit seems to be working overall, I can view operations like Create, SendAs and SoftDelete but Update is the one that I need.

Kavya 490 Reputation points

2025-01-28T13:28:54.19+00:00

What action did you perform to populate audit log for "update" action?
Rafal Aleksandrzak 20 Reputation points

2025-01-28T13:32:20.2466667+00:00

Emails were marked as read and flagged.

Accepted answer

0 additional answers

Your answer

Kavya 490 Reputation points

2025-01-28T13:28:54.19+00:00

What action did you perform to populate audit log for "update" action?
Rafal Aleksandrzak 20 Reputation points

2025-01-28T13:32:20.2466667+00:00

Emails were marked as read and flagged.

Answer 1

Vasil Michev 115.7K MVP

There is the possibility that the mailbox is excluded from auditing, which you can check via the *Get-MailboxAuditBypassAssociation *cmdlet. Other than that, I see nothing wrong in the above, and the cmdlet should produce some results. That said, I'm not sure that "marked as read" is actually classified as Update operation, to cover those you should look at MailItemsAccessed records.

Alex Zhang-MSFT 6,620 Reputation points Microsoft External Staff

2025-01-29T02:16:53.6733333+00:00

Hello, @Rafal Aleksandrzak,

Welcome to the Microsoft Q&A platform!

As Vasil Michev said, I suggest you first verify that your mailbox is excluded from auditing, you can get more parameters about the Get-MailboxAuditBypassAssociation cmdlet and what it does through Get-MailboxAuditBypassAssociation (ExchangePowerShell) | Microsoft Learn.

Also, from my opinion, the action of marking an email as read is not explicitly categorized as an action in the audit log. Audit logs can track a variety of activities, but do not include the specific action of a mailbox owner marking an email as read.

Should you need more help on this, you can feel free to post back.

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

Best Wishes,

Alex Zhang
Rafal Aleksandrzak 20 Reputation points

2025-01-29T10:27:33.2933333+00:00

No bypass were configured. I also found that I could check messageTrackingReadStatusEnabled for organization and it is enabled for all. I find it strange that read status is tracked but not audited and you are actually unable to check message isRead property easily but it is what it is. Thank you for your help.

Share via

Missing Update Operations in Shared Mailbox Audit Logs

0 additional answers

Your answer