Learn more about viewing the administrator audit log
Applies to: Exchange Online, Exchange Server 2013
Administrator audit logging records specific actions performed by administrators and users who have been assigned administrative privileges. Any action that is based on an Exchange Management Shell cmdlet and doesn't begin with the verbs Get, Search, or Test is logged in the administrator audit log. That means that whenever an administrator performs an action that creates, modifies, or deletes an object, the action is logged in the administrator audit log.
You can use the EAC to search for and view entries from the administrator audit log. Log entries provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected. Up to 1000 entries will be displayed on multiple pages. To narrow the search, you can specify a date range. You can sort entries based on the cmdlet that ran, the date when the cmdlet ran, or the user who ran the cmdlet.