0

I wrote a tiny EWS API program in C# to check Exchange audit logs. The test is against an Exchange 2016 server.

When I'm trying to check the admin audit logs folder:

Folder myFolder= Folder.Bind(service, WellKnownFolderName.AdminAuditLogs);

I get an "access is denied" error:

Microsoft.Exchange.WebServices.Data.ServiceResponseException: Access is denied. Check credentials and try again.

Since it's a test environment, I've granted the user I'm using all sort of permissions (domain/enterprise admin in the domain, Organization Management, Records management in Exchange, etc.) and apart from the AdminAuditLogs folder it can query everything w/o error. (Eg. a Folder.Bind(service, WellKnownFolderName.Root works OK.)

Basically it's the same problem as 'Andy' had a few years ago (unanswered Q from social.msdn):

https://social.msdn.microsoft.com/Forums/en-US/56713fb3-f134-4d64-97d0-8516aa2fdedf/mailbox-audit-logging-access-via-ews?forum=exchangesvrdevelopment

BastianW
  • 2,628
  • 7
  • 29
  • 38
dtippel
  • 13
  • 6

1 Answers1

0

As far as I know that folder isn't meant to be accessible via a client API like EWS. Eg because of the security implications that somebody else accessing the Mailbox could edit/delete the Log to hide their actions. All access should be done via the Exchange Management Shell cmdlets

Cheers Glen

Glen Scales
  • 20,495
  • 1
  • 20
  • 23