office 365 - How to Find Email Forwarding Creation/Modification Logs

Mohamed Ali ABIDI 201 Reputation points


We want to verify the person (if it is the administrator or the holder of the email address) who created and/or modified the email forwarding.


In the Azure Active Directory and Compliance audit logs, we can't find any information.

Do you have any idea.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,447 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 98,766 Reputation points MVP

    Depending on the type of forwarding, the user might have configured it himself. In any case, you can check the Admin audit log in Exchange:

    Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ForwardingAddress,ForwardingSmtpAddress -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date).AddDays(1)  

    Keep in mind that you can only search for events from maximum of 90 days ago.

  2. Dillon Silzer 54,931 Reputation points

    Hi @Mohamed Ali ABIDI

    This can be found the Cloud App Security at in the Activity Log

    You will want to set the following in Activity Type (you can use the search and type in Forward)


    Take a search through the logs as it will tell you who made the adjustment and to what mailbox.


    You can also set up an Alert for future incidents:


    If this is helpful please accept answer.