How to audit your Exchange Online activity: A step-by-step guide
Table of contents
Keeping track of Exchange Server activities helps you keep an eye on any configuration issues you might have and ensures your organization’s security and compliance requirements. Exchange Online provides both administrator action and mailbox logging. Admin actions record any administrators’ actions, while mailbox logging tracks access to the mailbox by an administrator or any other person.
As of January 2019, mailbox auditing is enabled by default for all organizations. Before this default setting, you had to turn on auditing for every user mailbox in the organization to get the full list of actions performed by administrators, mailbox owners, delegates, etc. Using a PowerShell cmdlet set made this relatively easy, but that was still an awkward process.
Exchange audit logs in Office 365
All Office 365 audit logs are unified into a single system, and Exchange logs are no different. To search for them, you’ll have to log in to Office 365 with an admin account, go to the Microsoft 365 Compliance portal and navigate to Audit.
To access the Exchange events, you’ll want to open the Activities dropdown list and start by searching for Exchange Online related activities in the Activities dropdown. Check one or more results you’re interested in, select the date and time ranges, fill out any other filters to refine your search for events, and click Search.
You should almost immediately see that the page has queued your search report. Unfortunately, the results are not immediate. It may take a couple of minutes to process the audit log with the search parameters you’ve selected.
When the processing is complete, you should be able to click on the search, and that will take you to a new page. This page lists all events relevant to your search query. From here, you can view the details of each audit event, and you have the option of exporting the data in a .csv format.
Exchange audit logs in the Exchange Admin Center
Exchange Online has its own admin center with its set of audit reports. Under Compliance management -> Auditing, you can find several different reports. These reports are much more specific and smarter than the searchable ones in Office 365. They are more helpful if you know what kind of events you’re looking for. For example, one of the reports shows all configuration changes made by Microsoft or delegated admins, another shows changes made to In-Place eDiscovery and In-Place Holds, while a third one tracks all mailbox access by non-owners.
These reports won’t show any information that isn’t already available in the previous searchable logs, so you won’t be missing any events if you prefer those.
Keep in mind that Microsoft is obviously pushing out a new Exchange admin center at https://admin.exchange.microsoft.com, but as of Q1 2024 Auditing has still not been migrated. Additionally, when fetching some reports, there is a warning displayed about deprecating the New-AdminAuditLogSearch cmdlet on 30th April 2024 and urging users to use the Microsoft Purview portal, which just redirects to the general audit log search functionality that I’ve covered at the start of this article.
This might be an oversight on their part, and the warning will go away by the end of April 2024.
The downsides of Office 365 and Exchange Online Center reporting
None of the methods described here are terribly user friendly. The Security and Compliance Center’s audit log search contains all events made on your Office 365 tenant. That means you’ll need to know which events you’re searching for beforehand to get a meaningful Exchange Online report. Even when set up, scrolling through the events for additional info is a clunky process.
On the other hand, the Exchange admin center offers a number of very specific reports that effectively filter the Exchange Online audit log for a specific group of Exchange Online events. They’re powerful once you get used to them but are not easy to read.
Also worth mentioning is that Microsoft has a new Exchange admin center to which they’re increasingly redirecting users instead of the old Exchange admin center. However, as of this writing it does not yet have a way to access the Exchange audit logs.
Another point worth noting is that you can only retain audit logs for a limited amount of time. If your organization has a non-E5 license, logs will be retained for 90 days, and if you use E5 licenses, logs are kept for up to a year. Depending on your organization’s requirements, this might not be enough.
How Syskit Point helps with Exchange Online audit
Syskit Point collects and stores all Office 365 audit logs automatically. While Exchange Online audit logs are not collected by default, Syskit Point can be easily set up to store them through the options. Once collected, the audit logs are kept locally for however long you need and can be accessed quickly and easily through our Microsoft 365 auditing reports.
The reports are easy to find and can be set up to show all Exchange audit logs or just certain events related to specific mailboxes with very little fiddling with filters. Syskit Point also allows the export of those reports to a handy excel document if you so need it.
