office 365 - How to Find Email Forwarding Creation/Modification Logs

Mohamed Ali ABIDI 201 Reputation points
2022-10-19T14:15:25.657+00:00

Hello,

We want to verify the person (if it is the administrator or the holder of the email address) who created and/or modified the email forwarding.

252092-image.png

In the Azure Active Directory and Compliance audit logs, we can't find any information.

Do you have any idea.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,447 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 98,766 Reputation points MVP
    2022-10-19T15:38:09.993+00:00

    Depending on the type of forwarding, the user might have configured it himself. In any case, you can check the Admin audit log in Exchange:

    Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ForwardingAddress,ForwardingSmtpAddress -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date).AddDays(1)  
    

    Keep in mind that you can only search for events from maximum of 90 days ago.


  2. Dillon Silzer 54,931 Reputation points
    2022-10-19T15:41:45.213+00:00

    Hi @Mohamed Ali ABIDI

    This can be found the Cloud App Security at https://portal.cloudappsecurity.com/#/audits in the Activity Log

    You will want to set the following in Activity Type (you can use the search and type in Forward)

    252102-image.png

    Take a search through the logs as it will tell you who made the adjustment and to what mailbox.

    252035-image.png

    You can also set up an Alert for future incidents:

    https://mattsoseman.wordpress.com/2020/07/20/govern-suspicious-inbox-forwarding-rules-using-microsoft-cloud-app-security/

    ---------------------------------

    If this is helpful please accept answer.