View the admin audit log in Exchange Online

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can use the Exchange admin center (EAC) or PowerShell to search for and view entries in the admin audit log.

The admin audit log records specific actions, based on Exchange Online PowerShell or standalone Exchange Online Protection PowerShell cmdlets, done by admins and users who have been assigned administrative privileges. Entries in the admin audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.

Notes:

• Admin auditing logging is enabled by default, and you can't disable it.
• The admin audit log doesn't record actions based on cmdlets that begins with the verbs Get, Search, or Test.
• When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change doesn't appear in the admin audit log, wait a few minutes and run the search again.
• Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.

What do you need to know before you begin?

• To open the Exchange admin center (EAC), see Exchange admin center in Exchange Online.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone Exchange Online Protection PowerShell see Connect to Exchange Online Protection PowerShell.

• You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Feature permissions in Exchange Online topic.

• For information about keyboard shortcuts that may apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.

Use the EAC to view the admin audit log

1. In the EAC, go to Compliance management > Auditing, and then choose Run the admin audit log report.

2. In the Search for changes to administrator role groups page that opens, choose a Start date and End date (the default range is the past two weeks), and then choose Search. All configuration changes made during the specified time period are displayed, and can be sorted, using the following information:

   • Date: The date and time that the configuration change was made. The date and time are stored in Coordinated Universal Time (UTC) format.

   • Cmdlet: The name of the cmdlet that was used to make the configuration change.

   • User: The name of the user account of the user who made the configuration change.

     Up to 5000 entries will be displayed on multiple pages. Specify a smaller date range if you need to narrow your results. If you select an individual search result, the following additional information is displayed in the details pane:

   • Object modified: The object that was modified by the cmdlet.

   • Parameters (Parameter:Value): The cmdlet parameters that were used, and any value specified with the parameter.

3. If you want to print a specific audit log entry, choose the Print button in the details pane.

Use PowerShell to view the admin audit log

You can use Exchange Online PowerShell or standalone Exchange Online Protection PowerShell to search for audit log entries that meet the criteria you specify. Use the following syntax:

Search-AdminAuditLog [-Cmdlets <Cmdlet1,Cmdlet2,...CmdletN>] [-Parameters <Parameter1,Parameter2,...ParameterN>] [-StartDate <UTCDateTime>] [-EndDate <UTCDateTime>] [-UserIds <"User1","User2",..."UserN">] [-ObjectIds <"Object1","Object2",..."ObjectN">] [-IsSuccess <$true | $false>]

Notes:

• You can only use the Parameters parameter together with the Cmdlets parameter.

• The ObjectIds parameter filters the results by the object that was modified by the cmdlet. A valid value depends on how the object is represented in the audit log. For example:

  • Name
  • Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)

  You'll likely need to use other filtering parameters on this cmdlet to narrow down the results and identify the types of objects that you're interested in.

• The UserIds parameter filters the results by the user who made the change (who ran the cmdlet).

• For the StartDate and EndDate parameters, if you specify a date/time value without a time zone, the value is in Coordinated Universal Time (UTC). To specify a date/time value for this parameter, use either of the following options:

  • Specify the date/time value in UTC: For example, "2016-05-06 14:30:00z".
  • Specify the date/time value as a formula that converts the date/time in your local time zone to UTC: For example, (Get-Date "5/6/2016 9:30 AM").ToUniversalTime(). For more information, see Get-Date.

• The cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to specify up to 250,000 log entries. Or, use the value Unlimited to return all entries.

This example performs a search for all audit log entries with the following criteria:

• Start date: August 4, 2019
• End date: October 3, 2019
• Cmdlets: Update-RoleGroupMember

Search-AdminAuditLog -Cmdlets Update-RoleGroupMember -StartDate (Get-Date "08/04/2019").ToUniversalTime() -EndDate (Get-Date "10/03/2019").ToUniversalTime()

For detailed syntax and parameter information, see Search-AdminAuditLog.

View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in the Audit log contents section later in this article. Of the fields returned by the cmdlet, two fields, CmdletParameters and ModifiedProperties, contain additional information that isn't returned by default.

To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps.

1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in a variable using the following command.

   $Results = Search-AdminAuditLog <search criteria>
   

2. Each audit log entry is stored as an array element in the variable $Results. You can select an array element by specifying its array element index. Array element indexes start at zero (0) for the first array element. For example, to retrieve the 5th array element, which has an index of 4, use the following command.

   $Results[4]
   

3. The previous command returns the log entry stored in array element 4. To see the contents of the CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.

   $Results[4].CmdletParameters
   $Results[4].ModifiedProperties
   

4. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry, change the array element index.

Audit log contents

Each audit log entry contains the information described in the following table. The audit log contains one or more audit log entries.