M365 Security Portal - Audit Logs

Question

Dear All,

I have security admin access, under email and collaboration - explorer. I can see all important users email and i can preview and download it. My management wanted to audit or disable this feature. Please advice on how to do it. No where it is getting audited.

Email Preview.png

Answer 1

Hi，

Thanks for posting your question in the Microsoft Q&A forum.

This is the method I offered based on your description :

1. If management wants to audit the administrator's actions on email, they can search the audit logs in Microsoft purview.

2. According to the official Microsoft documentation I looked up, it's because your role group has the Preview role that you can view or download emails.

You find the Data Investigator or eDiscovery Manager role group in Permissions in Microsoft Defender(https://security.microsoft.com/emailandcollabpermissions) to see if you are in this role group. If yes, remove the Preview role. If not, check if there is a custom role group and remove the Preview role.

Here are my tests:

1. I added myself to the Data Investigator role group.

2.Found myself available to view or download emails.

3. Then removed myself from the role group and tested again and found that I could not view or download the email.

Finally, there is a delay in this modification, so it is recommended to wait 24 hours after the modification.

If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.