Mailbox Auditing for Office 365 – Part 1

Many Office 365 customers I talk to are concerned about how to audit changes to their organization’s mailboxes within Exchange Online. How do I track changes to the administrator roles in my tenant? How do I know if someone’s mailbox has been accessed by another person? How do I verify Litigation Hold is working? Read on and all shall become clear.

Where are the audit controls in Exchange Online?

If we ‘re going to exploring the auditing in Exchange Online, we’re going to need to know where the controls are. In this blog post, we’re going to focus on the GUI interface, not PowerShell. As with all things Exchange, everything can be done in PowerShell but I’m only going to talk about the GUi today.

To access the auditing control, launch the Exchange Online ECP ( and navigate to “compliance management > auditing” as shown in the screenshot below. Office 365 keeps 90 days of auditing information which can be viewed via these reports.

Exchange admin center

I see eight reports, so what do they do?

As of this writing (December 2015) there are eight reports available in the Exchange auditing section. These reports allow you to gather all the information you’ll need about who changed what in your Office 365 tenant. These reports will show both changes made by your administrators as well as changes made by Microsoft.

Wait, Microsoft makes changes to my Office 365 tenant?

Of course. Microsoft is constantly updating and improving Office 365 and Exchange Online. Servers are updated, databases are moved, maintenance is performed, all kinds of things done on your behalf. The important thing is you can see what changes Microsoft makes to your tenant using one of these reports. The specific report that shows what changes Microsoft has made is “Run the external admin audit log report…”.

In my tenant Microsoft has made 441 changes that are logged in this report over the last 90 days. In my case all these changes were made by automated systems doing routine tasks. I’ll note here that there is a new feature in Office 365 under the E5 license called “lockbox”. This feature gives you control over approval to allow Microsoft support engineers access to your tenant. Lockbox does not hold up standard automated maintenance tasks for your approval, but it does put you in the approval process for giving a person access to anything in your tenant that could include access to your data.

Can I see who is added and removed from Admin roles in Exchange Online?

The next audit report I’d like to look at is the “Run an administrator role group report…”. This report shows changes to the membership of administrator role groups as well as creation, copying, and deleting administrator role groups. The below screenshot shows the interface.

Exchange admin center

The interface is pretty much the same for all reports, so I’ll not reproduce separate screenshots of each here.

The report can be run for a specific time (although the data is only preserved for 90 days, so any start date or end date more than 90 days ago will not produce data), and limited to a specific role group. If no specific role group is defined, then all administrator role groups will be included in the search scope.

My tenant has no data for the search listed. I did add an account to the Organization Administrator role, but it takes some time for changes to show in the results. It would be a good best practice for any organization with an Office 365 tenant to run this report at least once a month to monitor membership changes to the administrator role groups.

Got it. What else is in those reports? Lots of stuff, but it’s going to have to wait for Part 2. Check back soon.

Nathan O’Bryan
MCSM: Messaging | MVP: Office Servers and Services | @MCSMLab