An Organization uses Exchange Online. You enable mailbox audit logging for all mailboxes.
User1 reports that her mailbox has been accessed by someone else.
You need to determine whether someone other than the mailbox owner has accessed the mailbox. What should you do?
A. Run the following Windows PowerShell command:Search-MailboxAuditLog-Identity User1-LogonTypes Admin, Delegate, External-ShowDetails
B. In theExchange Admin Center, navigate to the In-place eDiscovery & Hold section of the Protection page. Run a non-owner mailbox access report.
C. In the Exchange Admin Center, navigate to the In-place eDiscovery & Hold section of the Compliance Management page.Run a non-owner mailbox access report.
D. Run the following Windows PowerShell command:New-AdminAuditLogSearch-Identity User1-LogonTypes Admin, Delegate, External-ShowDetails
Correct Answer: C
Explanation/Reference:
The Non-Owner Mailbox Access Report in the Exchange Administration Center (EAC) lists the mailboxes that have been accessed bysomeone other than the person who owns the mailbox.
Run a non-owner mailbox access report
In the EAC, navigate to Compliance Management > Auditing.
Click Run a non-owner mailbox access report.
By default, Microsoft Exchange runs the report for non-owner access to any mailboxes in the organization over the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit logging.
To view non-owner access for a specific mailbox, select the mailbox from the list of mailboxes. Viewthe search results in the details pane.
Note: When a mailbox is accessed by a non-owner, Microsoft Exchange logs information about this action in a mailbox audit log that’s stored as an email message in a hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of mailboxes accessed by a nonowner, who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
References:https://technet.microsoft.com/en-us/library/jj150575(v=exchg.150).aspx
