Using the Office 365 Audit Log to Find SendAs Events

Searching for Mailbox Audit Records

The Office 365 audit log ingests mailbox audit records from Exchange Online. In the past, you might have used the Search-MailboxAuditLog cmdlet to look for audit records for a specific mailbox. For instance, here’s a command that looks for SendAs events recorded when a delegate (to a shared mailbox or user mailbox) sends a message and impersonates the mailbox:

You can still use the Search-MailboxAuditLog cmdlet, but it might be more convenient to use the Office 365 audit log, if only because the audit log is a common place to go looking for events ingested from all the Office 365 workloads, which means that the same technique works for all workloads. The audit records are available for up to 90 days for E1/E3 users and 365 days for E5 users.

Searching the Office 365 Audit Log

Here’s how to use PowerShell to search the Office 365 audit log for information about delegates sending messages for another user with the SendAs permission. The audit data property of each event is formatted in JSON, so we unpack it to find the values that we want to report. Each workload generates its own audit data payload, so some effort is necessary to figure out what the audit data contains for different events.

Mailbox events are available in the Office 365 audit between 15 and 30 minutes after they occur. The delay is due to the need for the ingestion process to run, find events in Exchange, and process them into Office 365 audit events before including them in the log.

Chapter 21 in the Office 365 for IT Pros eBook is the place to go to learn much more about using the Office 365 audit log. We have many more examples there.


One Reply to “Using the Office 365 Audit Log to Find SendAs Events”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.