Encrypted message portal activity log by Microsoft Purview Advanced Message Encryption

Access logs are available for encrypted messages through the encrypted message portal that lets your organization determine when messages are read, and forwarded by your external recipients. To ensure logs are available for any external recipients, you should apply a custom branding template to protected emails sent by your organization to external recipients that enforces a portal experience. See Add your organization's brand to your encrypted messages.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Enabling message access audit logs in PowerShell

Access log can be enabled using Exchange Online PowerShell. The EnablePortalTrackingLogs parameter of the Set-IrmConfiguration cmdlet specifies whether to enable the audit logs of accessing the encrypted message portal. Valid values are:

• $true: Turn on audit feature.
• $false: Turn off audit feature

Example:

Set-IrmConfiguration -EnablePortalTrackingLogs $true

To learn more, see Set-IRMConfiguration (ExchangePowerShell).

Message access audit information

The access log contains entries for messages sent through the encrypted message portal for the following types of activity:

• External user login timestamp and authentication method
• External user read messages or attachments
• Attachment download
• mail replies and forward

For more information on the message access log schema, see Audit log activities.

Search for events in the message access logs

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

Complete the following steps to get started with search:

1. Sign into the Microsoft Purview portal.
2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
3. Under Search, select the drop-down for Activities and type encrypted message portal activities.
4. Under encrypted message portal activities, select the event types to use in the search. Set the date range for the search (default is the previous week), you can also optionally add a particular user in your organization for the search. When ready, select Search.
5. Select an event from the list to view the audit properties.

Compliance portal

Complete the following steps to view the events captured in the message access logs:

1. In the Microsoft Purview compliance portal, under Solutions, select Audit.
2. Under Search, select the drop-down for Activities and type encrypted message portal activities.
3. Under encrypted message portal activities, select the event types to use in the search. Set the date range for the search (default is the previous week), you can also optionally add a particular user in your organization for the search. When ready, select Search.
4. Select an event from the list to view the audit properties.