Microsoft 365 compliance

3 methods to audit Exchange Online activity

Auditing Exchange Server activities helps you detect any possible security issues. Learn how to audit Exchange Online with three different methods in this blog post!

Keeping track of Exchange Server activities helps you keep an eye on any configuration issues you might have and ensures your organization’s security and compliance requirements. Exchange Online provides both administrator action and mailbox logging. Admin actions record any administrators’ actions, while mailbox logging tracks access to the mailbox by an administrator or any other person.

As of January 2019, mailbox auditing is enabled by default for all organizations. Before this default setting, you had to turn on auditing for every user mailbox in the organization to get the full list of actions performed by administrators, mailbox owners, delegates, etc. Using a PowerShell cmdlet set made this relatively easy, but that was still an awkward process. 

Exchange audit logs in Office 365

All Office 365 audit logs are unified into a single system, and Exchange logs are no different. To search for them, you’ll have to log on to Office 365 with an admin account, go to the Office 365 Security & Compliance or the newer Microsoft 365 compliance portal, and navigate to the Audit log search. You can find it either under Search -> Audit log search in the older center and just Audit in the latest one. 

The user interfaces are arranged differently, but the components are pretty much the same in both cases. To access the Exchange events, you’ll want to open the Activities dropdown list, find the Exchange mailbox activities group, and select either the whole group or specific actions within this group. Clicking on Search will send your query to the service, and after a few moments, you should have the search results back.

Audit log search

Exchange audit logs in the Exchange Admin Center

Exchange Online has its own admin center with its set of audit reports. Under Compliance management -> Auditing, you can find several different reports. These reports are much more specific and smarter than the searchable ones in Office 365. They are more helpful if you know what kind of events you’re looking for. For example, one of the reports shows all configuration changes made by Microsoft or delegated admins, another shows changes made to In-Place eDiscovery and In-Place Holds, while a third one tracks all mailbox access by non-owners.

Search for mailboxes

These reports won’t show any information that isn’t already available in the previous searchable logs, so you won’t be missing any events if you want to stick to them.

Search for online audit

The downsides of Office 365 and Exchange Online Center reporting

None of the methods described here are terribly user friendly. The Security and Compliance Center’s audit log search contains all events made on your Office 365 tenant. That means you’ll need to know which events you’re searching for beforehand to get a meaningful Exchange report. Even when set up, scrolling through the events for additional info is a clunky process.

On the other hand, the Exchange admin center offers a number of very specific reports that effectively filter the Exchange audit log for a specific group of Exchange events. They’re powerful once you get used to them but are not easy to read.

Also worth mentioning is that Microsoft has a new Exchange admin center to which they’re increasingly redirecting users instead of the old Exchange admin center. However, as of this writing it does not yet have a way to access the Exchange audit logs.

Another point worth noting is that you can only retain audit logs for a limited amount of time. If your organization has a non-E5 license, logs will be retained for 90 days, and if you use E5 licenses, logs are kept for up to a year. Depending on your organization’s requirements, this might not be enough.

How Syskit Point helps with Exchange Online audit

Syskit Point collects and stores all Office 365 audit logs automatically. While Exchange audit logs are not collected by default, Syskit Point can be easily set up to store them through the options. Once collected, the audit logs are kept locally for however long you need and can be accessed quickly and easily through our Office 365 auditing reports. 

Exchange log reports

The reports are easy to find and can be set up to show all Exchange audit logs or just certain events related to specific mailboxes with very little fiddling with filters. Syskit Point also allows the export of those reports to a handy excel document if you so need it.

Related Posts