A mailbox can hold contracts, drawings, pricing, and CUI. If I can’t prove who accessed it, who changed it, and when it happened, I have a gap in my control set.
For CMMC Level 2, mailbox auditing in Exchange Online is one useful control, not the whole answer. I treat it as part of a broader logging and monitoring program, and I always validate it instead of trusting defaults.
What mailbox auditing covers, and what it doesn’t
When I talk about CMMC mailbox auditing, I mean Exchange Online events tied to mailbox activity. That includes actions by the mailbox owner, delegates, and admins, such as deletes, rule changes, folder permission changes, and in many cases MailItemsAccessed.
The terms get mixed together, so I keep them separate:
| Audit type | What it tracks | Where I use it |
|---|---|---|
| Mailbox auditing | Actions inside a mailbox | Email access, deletions, rule changes, delegate activity |
| Admin auditing | Changes admins make to config and settings | Exchange and tenant admin actions |
| Unified audit logging | The broader Microsoft 365 audit record set | Cross-workload review in Purview |
That last row matters most. Mailbox auditing feeds useful records, but I still search and retain evidence through Microsoft Purview Audit. As of April 2026, I still use the Purview portal for searches; older references may still say Security & Compliance Center.
Microsoft’s mailbox auditing guidance is the baseline I trust. I also like this practical step-by-step mailbox logging guide because it mirrors how admins work in the field.
For CMMC Level 2, I don’t claim this setting makes an environment compliant. It supports audit and accountability controls, but assessors will still want to see review procedures, retention decisions, role separation, and evidence that the logs are useful.
How I enable and verify Exchange Online mailbox auditing
In most tenants, mailbox auditing is already on by default. That sounds simple, but I never stop there. I verify the org setting, I check mailbox-level exceptions, and I confirm no one bypassed auditing.
In the GUI, I use Purview Audit to confirm I can search mailbox events and that the right staff have access. For Exchange-specific checks, PowerShell is still the cleanest path.
These are the commands I run first:
Connect-ExchangeOnlineGet-OrganizationConfig | fl AuditDisabledGet-Mailbox -ResultSize Unlimited | fl Name,RecipientTypeDetails,AuditEnabled,DefaultAuditSet,AuditBypassEnabled
If
AuditDisabledisFalse, mailbox auditing on-by-default is active. The naming is awkward, so I document that interpretation for the team.
For a mailbox that shows a problem, I check it directly with Get-Mailbox user@domain.com | fl AuditEnabled,DefaultAuditSet,AuditBypassEnabled. If I find bypass enabled, I treat that as an exception and justify it or remove it. I rarely accept AuditBypassEnabled $true in a CMMC-scoped tenant.
If I need to correct a tenant-wide issue, I use Set-OrganizationConfig -AuditDisabled $false. For mailbox-specific cases, I can use Set-Mailbox user@domain.com -AuditEnabled $true, but I prefer to keep the org default in place and limit one-off overrides.
I also check whether MailItemsAccessed is available for the mailbox population I care about. That signal is useful because it shows actual access, not only deletes or sends. Still, Microsoft can throttle that event after high volumes, so I don’t build my whole detection story around one action type.
Least privilege matters here. I limit who can search audit data in Purview and who can change Exchange config. If the same admin can disable logging, change mail flow, and approve exceptions, the paper trail loses value.
How I test events and collect evidence for a CMMC review
A control you never test is only a checkbox. After setup, I run a small test plan with one normal mailbox and, if used, one shared mailbox.
I generate a few known events over a short window. For example, I sign in as the owner and delete a message, I update an inbox rule, then I have a delegated user open or send from the mailbox if that permission exists. If an admin has access, I test one approved admin action too.
Then I search in Purview Audit by date, user, and activity. For shared mailboxes, Microsoft’s guide on investigating shared mailbox activities is useful because it shows how to trace delegate actions that often matter in assessments.
My evidence package usually includes:
- screenshots of org and mailbox verification results
- the exact PowerShell output I used for validation
- a Purview search showing the test events
- a short procedure that names who reviews logs, how often, and what triggers follow-up
I also note retention. CMMC doesn’t reward vague promises, so I map mailbox audit retention to my broader audit log retention plan and licensing model. If the business needs longer evidence windows, I document how I’ll preserve logs outside a short default search period.
Common mistakes show up fast. Teams assume defaults are enough, never test delegate actions, or forget that mailbox auditing is not the same as admin auditing. Others give too many people Purview Audit access, which weakens separation of duties.
In my work with Small Business IT teams, this control fits into bigger programs: Cloud Infrastructure, Office 365 Migration, Data Center Technology, and Cybersecurity Services. It also supports Endpoint Security, Device Hardening, Cloud Management, Secure Cloud Architecture, and Business Continuity & Security. A strong Business Technology Partner brings Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, Managed IT for Small Business, Innovative IT Solutions, and Tailored Technology Services into one plan. Even in operational spaces like Restaurant POS Support and Kitchen Technology Solutions, the same rule applies: log what matters, protect access, and prove the control works.
Conclusion
The strongest move I make with Exchange Online mailbox auditing is simple: I verify, test, and save evidence. Defaults help, but they don’t replace validation.
For CMMC Level 2, mailbox auditing is useful when it’s tied to Purview searches, least-privilege access, retention decisions, and repeatable review steps. If I can show that a known mailbox event was captured, reviewed, and preserved, I’m in a far better place for an assessment.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.