![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Microsoft Exchange Online
A Microsoft email and calendaring hosted service.
1,419 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Hello @Daniel Klobnak !
I understand you need Audit Logs for Outlook Client as well
I have to point you to
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities?view=o365-worldwide
and particularly Search-UnifiedAuditLog
As you can see below :
You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.
| Accessed mailbox items | MailItemsAccessed | Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Audit (Premium) events" section in Audit (Premium). |
| Added delegate mailbox permissions | Add-MailboxPermission | An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see System accounts in Exchange mailbox audit records. |
| Added or removed user with delegate access to calendar folder | UpdateCalendarDelegation | A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar. |
| Added permissions to folder | AddFolderPermissions | A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders. |
| Copied messages to another folder | Copy | A message was copied to another folder. |
| Created mailbox item | Create | An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited. |
| Created new inbox rule in Outlook web app | New-InboxRule | A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app. |
| Deleted messages from Deleted Items folder | SoftDelete | A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete. |
| Labeled message as a record | ApplyRecordLabel | A message was classified as a record. Occurs when a retention label that classifies content as a record is manually or automatically applied to a message. |
| Moved messages to another folder | Move | A message was moved to another folder. |
| Moved messages to Deleted Items folder | MoveToDeletedItems | A message was deleted and moved to the Deleted Items folder. |
| Modified folder permission | UpdateFolderPermissions | A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder. |
| Modified inbox rule from Outlook web app | Set-InboxRule | A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app. |
| Purged messages from the mailbox | HardDelete | A message was purged from the Recoverable Items folder (permanently deleted from the mailbox). |
| Removed delegate mailbox permissions | Remove-MailboxPermission | An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it. |
| Removed permissions from folder | RemoveFolderPermissions | A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders. |
| Sent message | Send | A message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. For more information, see the "Audit (Premium) events" section in Audit (Premium). |
| Sent message using Send As permissions | SendAs | A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner. |
| Sent message using Send On Behalf permissions | SendOnBehalf | A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message. |
| Updated inbox rules from Outlook client | UpdateInboxRules | A mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client. |
| Updated message | Update | A message or its properties was changed. |
| User signed in to mailbox | MailboxLogin | The user signed in to their mailbox. |
| Label message as a record | A user applied a retention label to an email message and that label is configured to mark the item as a record. |
Before you search the audit log
Be sure to review the following items before you start searching the audit log.
- Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
PowerShell
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
The value of True for the UnifiedAuditLogIngestionEnabled property indicates that audit log search is turned on. For more information, see Turn audit log search on or off.
Important
Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when audit log search is turned on.
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards