Mailbox Audit Logging – Admin Logon Type

The Microsoft TechNet article “Understanding Mailbox Audit Logging” contains the following section:

By using mailbox audit logging, you can log mailbox access by mailbox owners, administrators, and delegates (including administrators who have full mailbox access permissions). Mailboxes are considered to be accessed by an administrator only in the following scenarios:

• Discovery search is used to search a mailbox
• The New-MailboxExportRequest cmdlet is used to export a mailbox
• Microsoft Exchange Server MAPI Editor is used to access the mailbox

Recently I investigated how we can audit the actions performed by a software program that used Exchange Web Services to access a mailbox. I was especially interested in how actions are logged if the software is “Using Exchange Impersonation”. I found out the above list is incomplete. Actions performed using impersonation are recorded with Logon Type Admin.

If you use ExFolders to access a mailbox then this is logged with Logon Type Admin, too.