![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 40%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
7,925 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Shabaz Ahmed ,
What's version of Exchange server?
1.We could view the client IP from Mailbox audit log. But there are some restrictions:
1)Mailbox audit log is disable by default, so please run the following command to see if the user mailbox enable the mailbox audit log.
Get-Mailbox -Identity <> | fl *audit*
2)Auditing for owner logins to a mailbox works only for POP3, IMAP4, or OAuth logins. It doesn't work for NTLM or Kerberos logins to the mailbox. You can log in to Outlook, right-click the small Outlook icon, select "Connection status", and check the authentication method in "Authn".
3)If the mailbox audit log enabled and could record the mailbox logins, you could run the following command to search the mailbox audit log.
Search-MailboxAuditLog -Identity <> -LogonTypes Admin,Delegate,Owner -StartDate <> -EndDate <> -ResultSize 2000 -ShowDetails
For more information you could refer to: Mailbox audit logging in Exchange Server and Search-MailboxAuditLog
2.Please run the following command to check the message tracking log and view the mail sent by the user through the log. Then check whether there is "Send/Sendexternal" under the event id parameter. Then run the second command to view the client IP.
Get-Messagetrackinglog -Sender "<usermailbox>" -Start "<>" -End "<>"
Get-Messagetrackinglog -Sender "<usermailbox>" -Start "<>" -End "<>" -EventID <sendexternal or send> | fl *client*
For more information you coudl refer to: Search Message Tracking Logs
3.According to I research on similar cases, we can also query the client IP of the login mailbox from the IIS log, but the process is very complicated. You can refer to the steps marked as answers in this similar case: Exchange 2016: How to audit mailbox user access to get their IP?
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.