If you plan to audit owner mailbox access within your Exchange Online organization, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes:
- Access type: Owner
- Actions: SoftDelete, HardDelete, Move, UpdateCalendarDelegation, UpdateFolderPermissions, MailboxLogin, MailItemsAccessed, MoveToDeletedItems
Note: Read access auditing significantly increases the number of generated audit events which might affect performance and reporting.
Important: When auditing owner mailbox activity, the search results may include the subjects of emails. This means that potentially sensitive information contained in email subject lines could be displayed during reviews or searches. We recommend reviewing your organization’s privacy policies and informing relevant stakeholders to ensure that sensitive data exposure is managed in accordance with your compliance requirements.