Exchange Audit Log Retention : ECM Insights

Audit Vault for M365

A powerful and cost-effective solution to retain and surface your Microsoft 365 audit log records.

Retain your Microsoft Exchange Audit Log Records

Why Use Audit Vault for M365:

Audit Vault for M365 will retain all audit log records from Microsoft Exchange. Track various system, user and admin events from Microsoft Exchange and securely preserve those records within Audit Vault for M365. All without the need to purchase expensive Microsoft licenses.

Gain visibility into Microsoft Exchange Configuration Issues.

Track access to users Mailbox’s.

Stay compliant with regulatory policies such as HIPAA, GDPR, or FISMA by performing security assessments.

Track deleted or moved sensitive emails

What type of audit information is retained from Microsoft Exchange?

Below is a listing of all the audit properties that Audit Vault for M365 preserves from Microsoft Exchange. Run reports to track down user's mailbaox activity, and detect suspicious activity such as deleting sensitive emails.

Audit Properties Retained from SharePoint Online

Property	Description
Creation Time:	The date and time when the audit event or operation occurred in Exchange. Stored in UTC Time.
Microsoft Id:	Unique Id of the audit log from Microsoft.
Operation:	The name of activity or event that had occurred when generating the exchange audit log. Examples: AddFolderPermissions Add-MailboxPermission Add-RecipientPermission Create disable-Mailbox Enable-AddressListPaging HardDelete Install-AdminAuditLogConfig Install-DataClassificationConfig Install-DefaultSharingPolicy Install-ResourceConfig MailItemsAccessed ModifyFolderPermissions MoveToDeletedItems New-App New-ExchangeAssistanceConfig New-InboxRule New-Mailbox New-ReportSubmissionPolicy New-SchedulingMailbox Remove-Mailbox Remove-StoreMailbox Remove-TenantRelocationRequest SendAs SendOnBehalf Set-AdminAuditLogConfig Set-AntiPhishPolicy Set-ExchangeAssistanceConfig Set-InboxRule Set-Mailbox Set-MailboxJunkEmailConfiguration Set-MailboxPlan Set-MalwareFilterPolicy Set-OrganizationConfig Set-OwaMailboxPolicy Set-RecipientEnforcementProvisioningPolicy Set-SyncUser Set-TenantObjectVersion Set-TransportConfig SoftDelete Update
User Id:	The name of the user that performed the action that generated the Exchange Audit Log.
Additional Properties:	Stores any new properties from Exchange Audit Log that are not captured elsewhere.
Affected Items:	Information about each item in the group that resulted from the audit event that created the log entry.
App Access Context:	Contains the Issued at Time and a Unique Token Id for the application context for the user or service principal that performed the action.
App Id:	Contains the Application Id that performed the action.
App Pool Name:	The name of the Application Pool that performed the action.
Client App Id:	The Id of the Microsoft Entra app that performed the access on behalf of the user.
Client Info String:	Information about the email client that was used to perform the operation that created the Exchange Audit Log, such as a browser version, Outlook version, and mobile device information.
Client IP:	The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
Client IP Address:	The IP address of the device that was used when the operation was logged that generated the audit log. The IP address is displayed in either an IPv4 or IPv6 address format.
Client Machine Name:	The machine name that hosts the Outlook client that created the Exchange log.
Client Process Name:	The email client that was used to access the mailbox.
Client Request Id:	A GUID that is stored in the Exchange Audit log that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
Client Version:	The version of the email client.
Company IP:	Contains the Company IP address that triggered the event for which the audit log was created.
Contact Email1 Display Name:	The Contact Email 1 address display name that generated the audit log from Exchange.
Contact Email1 Email Address:	The Contact Email 1 address that generated the audit log from Exchange.
Contact Email2 Display Name:	The Contact Email 2 address display name that generated the audit log from Exchange.
Contact Email2 Email Address:	The Contact Email 2 address that generated the audit log from Exchange.
Cross Mailbox Operation:	Boolean that indicates if the operation involved more than one mailbox when the Exchange audit entry was created.
Cross Mailbox Operations:	Indicates if the operation that created the Exchange audit log is involved more than one mailbox.
Dest Folder:	The destination folder for the event that created the Exchange Audit Log. For operations such as Move.
Dest MailboxId:	Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
Dest Mailbox Owner Master Account id:	Set only if the CrossMailboxOperations parameter is True. Specifies the SID (Security Identifier) for the master account SID of the target mailbox owner that generated the Exchange Audit Log.
Dest Mailbox Owner Sid:	Set only if the CrossMailboxOperations parameter is True. Specifies the SID (Security Identifier) of the target mailbox.
Dest Mailbox Owner UPN:	Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
External Access:	True or False. Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator.
Folder:	The folder where a group of items is located.
Folders:	Collection of Exchange folders that has information about the source folders involved in an operation; for example, if folders are selected and then deleted.
Internal Logon Type:	Reserved for Microsoft use only.
Logon Type:	Indicates the type of user who accessed the mailbox and performed the operation that was audited. Examples include: 0 = Owner 1 = Admin 2 = Delegated 3 = Transport (A transport service in the Microsoft datacenter) 4 = SystemService (A service account in the Microsoft datacenter) 5 = BestAccess (Reserved for internal use) 6 = DelegatedAdmin
Logon User Display Name:	The user-friendly name of the user who performed the operation that created the Exchange Audit entry.
Logon User Sid:	The SID (Security Identifier) of the user who performed the operation.
Mailbox Guid:	The GUID of the mailbox in Exchange that was accessed.
Mailbox Owner Master Account Sid:	The Exchange Mailbox owner account's master account SID (Security Identifier).
Mailbox Owner Sid:	The SID of the mailbox owner.
Mailbox Owner UPN:	The email address of the person who owns the mailbox that was accessed.
Modified Object Resolved Name:	This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object.
Modified roperties:	The property is included for exchange admin events. The property includes the name of the exchange property that was modified, the new value of the modified property, and the previous value of the modified object extracted from the Exchange Audit Log.
Object Id:	For Exchange Audit Records it is the admin audit logging, the name of the object that was modified by the cmdlet.
Operation Count:	The number of Operations involved when generating the Audit Log for Exchange.
Operation Properties:	Contains additional Exchange properties such as MailAccessTyep and IsThrottled values.
Organization Id:	The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
Organization Name:	The name of the tenant that created the audit record.
Originating Server:	The name of the server from which the cmdlet was executed that generated the Exchange Audit Log from Microsoft.
Parameters:	The name and value for all the parameters that were used with the cmdlet that is identified in the Exchange Audit Log Operations property.
Record Type:	Stores the Id of the record type for the Exchange Audit Log. Examples: 1: ExchangeAdmin events 2: ExchangeItem events. 3: ExchangeItemGroup events. 50: ExchangeItemAggregated events.
Request Id:	A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
Result Status:	Indicates whether the action (specified in the Operation property) was successful or not.For Exchange admin activity, the value is either True or False.
Scope:	Indicates if this Exchange event was created by a hosted O365 service or an on-premises server.
Send As User Mailbox Guid:	The Exchange GUID of the mailbox that was accessed to send email as.
Send As User Smtp:	SMTP address of the user who is being impersonated when the Exchange activity occurred.
Send On Behalf Of User Mailbox Guid:	SMTP address of the user on whose behalf the email is sent that created the Exchange Audit Log.
Send On Behalf Of User Smtp:	The Exchange GUID of the mailbox that was accessed to send mail on behalf of.
Session Id:	Stores the Session Id that triggered the event for the audit log.
User Key:	An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
User Type:	The type of user that performed the operation that generated the Exchange Audit Log. See the UserType table for details on the types of users. 0 = Regular 1 = Reserved 2 = Admin 3 = DcAdmin 4 = System 5 = Application 6 = ServicePrincipal 7 = CustomPolicy 8 = SystemPolicy
Version:	>The version number of the Microsoft Management Api that executed the request to retrieve the Exchange Audit Logs.
Workload:	The Office 365 service where the activity occurred.

Note: Audit vault for M365 will only store the values for the properties listed above if they are returned from Microsoft. Some information is present only if it is applicable.