Audit reports microsoft exchange

Multi-tenant Support — Easily manage multiple office tenants from a single window. AI-powered Graphical Analytics — Get insights into any report and understand the data better in a visually appealing manner. Rich Filters — Apply filter on any columns to see only the required information and save the filter for future use.

Easy Customization — Allows you to easily customize the reports by rearranging, adding, or removing the columns and their size. User Friendly — Do complex tasks with few mouse clicks using a simple to use web-based interface. Granular Access Delegation — Allow non-admins to view reports and statistics. Easy Setup — Easy to set up. Search the role group changes or admin audit logs.

View and export the external admin audit log Exchange Online only. By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This setting can't be changed in a cloud-based organization. However, it can be changed in an on-premises Exchange organization by using the Set-AdminAuditLog cmdlet. Export mailbox audit logs : When mailbox audit logging is enabled for a mailbox, Exchange Online stores a record of actions performed on mailbox data by non-owners in the mailbox audit log, which is stored in a hidden folder in the mailbox being audited.

Mailbox audit logging can also be configure to log owner actions. Entries in this log indicate who accessed the mailbox and when, the actions performed, and whether the action was successful. When you search for entries in the mailbox audit log and export them, Exchange Online saves the search results in an XML file and attaches it to an email message.

For more information, see Export mailbox audit logs. When you export the mailbox audit log or admin audit log the log is attached as an XML file in an email message. If you want to use Outlook on the web to access exported audit logs, you need to configure Outlook on the web to allow XML attachments.

For detailed syntax and parameter information, see Set-OwaMailboxPolicy. When you run any of the following reports on the Auditing page in the EAC, the results are displayed in the details pane of the report:. Run a non-owner mailbox access report : Use this report to find mailboxes that have been accessed by someone other than the person who owns the mailbox. For more information, see Run a non-owner mailbox access report.

For more information, see Search the role group changes or admin audit logs. Run a per-mailbox Litigation Hold report : Use this report to find mailboxes that were put on, or removed from, litigation hold. For more information, see Run a per-mailbox litigation hold report. Instead of exporting the admin audit log, which can take up to 24 hours to receive in an email message, you can run this report in the EAC. This report records configuration changes made by admins in your organization.

Up to entries will be displayed on multiple pages. To narrow the search, you can specify a date range. A valid value depends on how the object is represented in the audit log. For example:. You'll likely need to use other filtering parameters on this cmdlet to narrow down the results and identify the types of objects that you're interested in. The UserIds parameter filters the results by the user who made the change who ran the cmdlet. The cmdlet returns a maximum of 1, log entries by default.

Use the ResultSize parameter to specify up to , log entries. Or, use the value Unlimited to return all entries. For detailed syntax and parameter information, see Search-AdminAuditLog. The Search-AdminAuditLog cmdlet returns the fields described in the Audit log contents section later in this article.

Of the fields returned by the cmdlet, two fields, CmdletParameters and ModifiedProperties , contain additional information that isn't returned by default. To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps.

Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in a variable using the following command. You can select an array element by specifying its array element index. Array element indexes start at zero 0 for the first array element. For example, to retrieve the 5th array element, which has an index of 4, use the following command.

The previous command returns the log entry stored in array element 4. To see the contents of the CmdletParameters and ModifiedProperties fields for this log entry, use the following commands. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry, change the array element index.

Each audit log entry contains the information described in the following table. The audit log contains one or more audit log entries. Skip to main content. This browser is no longer supported.