Export (0) Print
Expand All

View the administrator audit log

Exchange 2013
 

Applies to: Exchange Server 2013, Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-08-07

In Microsoft Exchange Online Protection (EOP), Microsoft Exchange Online, and Microsoft Exchange 2013, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log. The administrator audit log records specific actions, based on Exchange Management Shell cmdlet, performed by administrators and users who have been assigned administrative privileges. Entries in the administrator audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.

NoteNote:
  • The administrator audit log doesn’t record any action that is based on an Exchange Management Shell cmdlet that begins with the verbs Get, Search, or Test.

  • Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.

  • Estimated time to complete: 5 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View reports" entry in the Feature permissions in EOP topic.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

  1. In the EAC, navigate to Compliance management > Auditing, and choose View the administrator audit log.

  2. Choose a Start date and End date, and then choose Search. All configuration changes made during the specified time period are displayed, and can be sorted, using the following information:

    • Date   The date and time that the configuration change was made. The date and time are stored in Coordinated Universal Time (UTC) format.

    • Cmdlet   The name of the cmdlet that was used to make the configuration change.

    • User   The name of the user account of the user who made the configuration change.

    Up to 5000 entries will be displayed on multiple pages. Specify a smaller date range if you need to narrow your results. If you select an individual search result, the following information is displayed in the details pane:

    • Object modified   The object that was modified by the cmdlet.

    • Parameters (Parameter:Value)   The cmdlet parameters that were used, and any value specified with the parameter.

  3. If you want to print a specific audit log entry, choose the Print button in the details pane.

If you’ve successfully run an administrator audit log report, configuration changes made within the date range you specify are displayed in the search results pane. If there are no results, change the date range and then run the report again.

NoteNote:
When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change doesn't appear in the administrator audit log, wait a few minutes and run the search again.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft