Share via

Export the Administrator Audit Log

  • Article

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

Administrator audit logging records specific actions performed by administrators and users who've been assigned administrative privileges. Any action that is based on a Windows PowerShell cmdlet and doesn't begin with the verbs Get, Search, or Test, is logged in the administrator audit log. That means that whenever an administrator uses Windows PowerShell, the Exchange Control Panel, or Outlook Web App > Options to perform any action that creates, modifies, or deletes an object, the action is logged in the administrator audit log.

When you search for and export entries from the administrator audit log, Microsoft Exchange saves the search results in an XML file and then attaches it to an e-mail message sent to the specified recipients within 24 hours.

This topic explains the following:

  • Configure Outlook Web App to allow XML attachments
  • Export the administrator audit log
  • View the exported administrator audit log
  • Quota for the administrator audit log

Configure Outlook Web App to allow XML attachments

When you export the administrator audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an e-mail message. However, Outlook Web App blocks XML attachments by default. You have to configure Outlook Web App to allow XML attachments so that you can access the exported audit log. Alternatively, you can use Microsoft Outlook to view the administrator audit log.

Run the following command to allow XML attachments in Outlook Web App:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'

Export the administrator audit log

  1. Select Manage My Organization > Roles & Auditing > Auditing.
  2. Click Export the administrator audit log.
  3. Configure the following search criteria for exporting the entries from the administrator audit log:
    • Start and end dates   Select the date range for the entries to include in the exported file.
    • Recipients   Select the users to send the administrator audit log to.
  4. Click Export.
    Microsoft Exchange retrieves entries in the administrator audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an e-mail message sent to the specified recipients within 24 hours.

Note To access and run any of the reports on the Auditing Reports tab in the Exchange Control Panel, a user has to be assigned the necessary permissions. For more information, see the "Give users access to Auditing Reports" section of Use Auditing Reports in Exchange Online.

View the administrator audit log

To open or save the SearchResult.xml file:

  1. Sign in to the mailbox where the administrator audit log was sent.
  2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the e-mail message contains the search criteria.
  3. Click the attachment and select to open or save the XML file.

Entries in the administrator audit log

The administrator audit log contains an entry for each cmdlet, and its parameters, that has been run by an administrator. The following example shows two entries. Each entry is preceded by the <Event> XML tag and ends with the </Event> XML tag.

The first entry shows that administrator audit logging was enabled on April 26, 2010. The second entry shows litigation hold was enabled on the mailbox annb.

<Event Caller="PPLNSL-dom.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.com/Administrator"
Cmdlet="Set-AdminAuditLogConfig"
ObjectModified="Admin Audit Log Settings"
RunDate="4/26/2010 11:22:40 PM" Succeeded="true" Error="None">
<CmdletParameters>
<Parameter Name="AdminAuditLogEnabled" Value="True" /> 
</CmdletParameters>
- <ModifiedProperties>
<Property Name="AdminAuditLogFlags" OldValue=""
NewValue="AdminAuditLogEnabled" /> 
<Property Name="AdminAuditLogEnabled" OldValue="False" NewValue="True" /> 
<Property Name="ObjectState" OldValue="Unchanged" NewValue="Changed" /> 
</ModifiedProperties>
</Event>
<Event Caller="PPLNSL-dom.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.com/Administrator" 
  Cmdlet="Set-Mailbox" 
  ObjectModified="annb" 
  RunDate="4/27/2010 10:56:07 PM" Succeeded="true" Error="None">
<CmdletParameters>
  <Parameter Name="LitigationHoldEnabled" Value="True" /> 
  <Parameter Name="Identity" Value="8a015de3-8597-416e-bbda-de48eaa95f8" /> 
  </CmdletParameters>
<ModifiedProperties>
  <Property Name="ElcMailboxFlags" OldValue="ElcV2" NewValue="ElcV2, LitigationHold" /> 
  <Property Name="LitigationHoldEnabled" OldValue="False" NewValue="True" /> 
  <Property Name="LitigationHoldDate" OldValue="" NewValue="4/27/2010 10:56:06 PM" /> 
  <Property Name="ObjectState" OldValue="Unchanged" NewValue="Changed" /> 
</ModifiedProperties>
</Event>

Note

Only the first 1,024 characters of the values for each property listed in the administrator audit log are audited. So only those characters will be included in the log.

Useful fields in the administrator audit log

Watch for these fields. They can help you identify specific information about each cmdlet run by an administrator.

Field Description

Caller

The user who ran the cmdlet.

Cmdlet

The cmdlet that was run by the user in the Caller field.

ObjectModified

The name of the object that was modified by the cmdlet.

RunDate

The date and time when the cmdlet was run.

Succeeded

Specifies whether the cmdlet ran successfully. The value is either True or False.

Error

Contains the error message if the cmdlet failed to complete successfully.

Parameter Name

The name of the parameter that was specified when the cmdlet was run.

Value

The value that was provided for the parameter specified in the Parameter Name field.

Property Name

The name of the property that was changed when the cmdlet was run.

OldValue

The value for the property before it was changed.*

NewValue

The value for the property after it was changed.*

* The value for this field can be very large. As stated earlier, only the first 1,024 characters are included in the administrator audit log.

Quota for the administrator audit log

The administrator audit log is stored in the Recoverable Items folder, a hidden system mailbox that was called the dumpster in previous versions of Microsoft Exchange. The quota for the Recoverable Items folder is 30 GB. Audit log entries are kept for 90 days, and then deleted. If the Recoverable Items folder reaches 80% of the 30 GB quota—which is unlikely—an alert will be sent to Microsoft datacenter administrators.