Run a non-owner mailbox access report in Exchange Online

The Non-Owner Mailbox Access Report in the Exchange admin center (EAC) lists the mailboxes that have been accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner, Exchange Online logs information about this action in a mailbox audit log that's stored as an email message in a hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. By default, entries in the mailbox audit log are retained for 90 days.

When you enable mailbox audit logging for a mailbox, Exchange Online logs specific actions by non-owners, including both administrators and users, called delegated users, who have been assigned permissions to a mailbox. You can also narrow the search to users inside or outside your organization.

What do you need to know before you begin?

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Run a non-owner mailbox access report

  1. In the EAC, go to Compliance Management > Auditing.

  2. Click Run a non-owner mailbox access report.

    By default, Exchange Online runs the report for non-owner access to any mailboxes in the organization over the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit logging.

  3. To view non-owner access for a specific mailbox, select the mailbox from the list of mailboxes. View the search results in the details pane.

Tip

Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click Search to re-run the report.

Search for specific types of non-owner access

You can also specify the type of non-owner access, also called the logon type, to search for. Here are your options:

  • All non-owners: Search for access by admins and delegated users inside your organization, and by Microsoft datacenter administrators in Exchange Online.

  • External users: Search for access by Microsoft datacenter administrators.

  • Administrators and delegated users: Search for access by admins and delegated users inside your organization.

  • Administrators: Search for access by admins in your organization.

How do you know this worked?

To verify that you've successfully run a non-owner mailbox access report, check the search results pane. Mailboxes that you ran the report for are displayed in this pane. If there are no results for a specific mailbox, it's possible there hasn't been access by a non-owner or that non-owner access hasn't taken place within the specified date range. As previously described, be sure to verify that audit logging has been enabled for the mailboxes you want to search for access by non-owners.

What gets logged in the mailbox audit log?

When you run a non-owner mailbox access report, entries from the mailbox audit log are displayed in the search results in the EAC. Each report entry contains this information:

  • Who accessed the mailbox and when

  • The actions performed by the non-owner

  • The affected message and its folder location

  • Whether the action was successful

For detailed information, see Mailbox actions for user mailboxes and shared mailboxes.