Change mailbox audit logging age limit in Exchange 2010 and later

by Bharat Suneja

In Exchange 2010 and later, you can use Mailbox Audit Logging to enable auditing of mailboxes for actions taken by mailbox owners, delegates and administrators. You can log events such as mailbox access, folder access, item access, deletes, hard deletes, moves, etc. For details, see Mailbox Audit Logging in Exchange 2013 documentation.

By default, mailbox audit logs are stored for 90 days. You can modify the audit logging age for a mailbox by setting its AuditLogAgeLimit property to the desired value. Because this is configured per-mailbox, you must use the Set-Mailbox cmdlet to configure this.

This example raises the mailbox audit log age to 120 days.

Set-Mailbox bsuneja -AuditLogAgeLimit 120

You can retrieve the audit-related properties for a mailbox to verify the change was made.

Get-Mailbox bsuneja | fl audit*

AuditEnabled : False
AuditLogAgeLimit : 120.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}

When you try to lower the audit log age limit, you’ll see the following prompt:

Confirm
The new mailbox audit log age limit, 30.00:00:00, for mailbox “bsuneja” is less than the previously specified age limit. If you continue, all log entries older than the new age limit will be deleted. This change takes effect immediately.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”):

Note, you won’t see this prompt when you raise the audit log age limit. Lowering the limit, however, can result in potential loss of audit logs and may potentially result in your org being out of compliance. Therefore the confirmation prompt. Using the Confirm switch (-Confirm:$false) does not suppress this.

In scenarios where you’re trying to lower the mailbox audit log age limit for a number of mailboxes, the prompt can be annoying. To suppress it, use the Force switch, as shown in this example:

Set-Mailbox bsuneja -AuditLogAgeLimit -Force

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: