How to Find Send As Records in the Office 365 Audit Log

Searching for Mailbox Audit Records

The Office 365 audit log ingests mailbox audit records from Exchange Online. In the past, you might have used the Search-MailboxAuditLog cmdlet to look for audit records for a specific mailbox. For instance, here’s a command that looks for Exchange Send As audit events recorded when a delegate (to a shared mailbox or user mailbox) sends a message and impersonates the mailbox:

Search-MailboxAuditLog -Identity "Customer Compliants" -LogonTypes Delegate -StartDate "1-Oct-2018 12:00" -EndDate "3-Nov-2018 17:00" -ShowDetails | ? {$_.Operation -eq "SendAs"} | Select LogonUserDisplayName, LastAccessed

LogonUserDisplayName LastAccessed
-------------------- ------------
James Ryan           2 Nov 2018 12:13:35
James Ryan           2 Nov 2018 11:57:33

You can still use the Search-MailboxAuditLog cmdlet, but it might be more convenient to use the Office 365 audit log, if only because the audit log is a common place to go looking for events ingested from all the Office 365 workloads, which means that the same technique works for all workloads. The audit records are available for up to 90 days for E1/E3 users and 365 days for E5 users.

Searching the Office 365 Audit Log

Here’s how to use PowerShell to search the Office 365 audit log for information about delegates sending messages for another user with the Exchange Send As permission. The audit data property of each event is formatted in JSON, so we unpack it to find the values that we want to report. Each workload generates its own audit data payload, so some effort is necessary to figure out what the audit data contains for different events.

[array]$Records = (Search-UnifiedAuditLog -StartDate 1-Nov-2018 -EndDate 2-Nov-2018 -Operations "SendAs" -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No Send As records found." }
Else {
    Write-Host "Processing" $Records.Count "audit records..."
$Report = @()
ForEach ($Rec in $Records) {
$AuditData = ConvertFrom-Json $Rec.Auditdata
$ReportLine = [PSCustomObject]@{
    TimeStamp = $AuditData.CreationTime
    User      = $AuditData.UserId
    Action    = $AuditData.Operation
    Status    = $AuditData.ResultStatus
    SentBy    = $AuditData.MailboxOwnerUPN
    SendAs    = $AuditData.SendAsUserSmtp
    Item      = $AuditData.Item.Subject }
$Report += $ReportLine
$Report | Select Timestamp, Action, User, SendAs

TimeStamp           Action User                           SendAs
---------           ------ ----                           ------
2018-11-02T12:13:28 SendAs
2018-11-02T11:57:29 SendAs

Mailbox events are available in the Office 365 audit between 15 and 30 minutes after they occur. The delay is due to the need for the ingestion process to run, find events in Exchange, and process them into Office 365 audit events before including them in the log.

Chapter 21 in the Office 365 for IT Pros eBook is the place to go to learn much more about using the Office 365 audit log. We have many more examples there.

3 Replies to “How to Find Send As Records in the Office 365 Audit Log”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.