This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
We want to verify the person (if it is the administrator or the holder of the email address) who created and/or modified the email forwarding.
In the Azure Active Directory and Compliance audit logs, we can't find any information.
Do you have any idea.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 31%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi @Mohamed Ali ABIDI ,
Have you tried the methods offered by michev and DillonJS? If it works, you could mark the useful repliy as an answer, thank you!
hi, is there any progress with the issue?
Depending on the type of forwarding, the user might have configured it himself. In any case, you can check the Admin audit log in Exchange:
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ForwardingAddress,ForwardingSmtpAddress -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date).AddDays(1)
Keep in mind that you can only search for events from maximum of 90 days ago.
You can adjust the Start date to up to 90 days, my example above only covers the last 10 days. And, this only cover changes made via the Set-Mailbox cmdlet, so it will only show events where another user/admin configured the forwarding via the Set-Mailbox cmdlet.
This can be found the Cloud App Security at https://portal.cloudappsecurity.com/#/audits in the Activity Log
You will want to set the following in Activity Type (you can use the search and type in Forward)
Take a search through the logs as it will tell you who made the adjustment and to what mailbox.
You can also set up an Alert for future incidents:
---------------------------------
If this is helpful please accept answer.
My Azure premium P1 license does not allow me to see all features of Microsoft Defender for Cloud Apps Discovery.
The Investigate menu does not appear in my Microsoft Defender for Cloud Apps Discovery portal.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 49%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWM%3C/text%3E%3C/svg%3E)
Have they changed this? I cannot find anything to do with forwarding in the Activity Type field.
