What’s Happening with the MailItemsAccessed Audit Event

Announced in January, Pulled in April, Back in September?

In April 2019, Microsoft rolled back the deployment of code to capture MailItemsAccessed events in the Office 365 audit log (and Exchange mailbox audit log, which feeds into the Office 365 log). At the time, Microsoft said that they planned to restart the rollout “soon,” but they haven’t given an update since.

I asked Microsoft for a status and received this:

“The M365 Auditing product group has an update on audit capabilities. Earlier this year, we announced that availability of Exchange [Online] MailItemsAccessed event was being rolled back. We are actively working on getting these events added into the audit logs and expect staged roll out to start in Q3 of this calendar year. Exact licensing requirements to access these events will be announced closer to roll out. In addition to this, we are working on enabling Longer term retention capability for audit events. Later in the year, we also plan to add more events and capabilities to our audit feature set. More details will be made available closer to release dates. Customers that want to evaluate these new events and features before subscribing will be able to do so with trial subscriptions. We are excited to get these capabilities in the hands of our customers and look forward to getting their feedback.”

Interpreting the Words of the Wise

Here’s what I took out of the statement:

  • Microsoft expects to restart the roll-out in Q3. That could be next week, it could be at the end of September.
  •  “Exact licensing requirements to access these events” is both interesting and worrying. The MailItemsAccessed event captures details of when an email is opened. I can’t imagine any scenario where Microsoft could justify licensing of the ingestion of these events into the Office 365 audit log and reporting (by the tenant) thereafter. ISVs will also be interested in using these events for their reports. But perhaps Microsoft has something interesting up their sleeves where they use these events for deeper analysis and understanding of how email is used within a tenant (like Workplace Analytics or MyAnalytics). If so, they might be able to justify an add-on license.
  • I’m not sure why so much effort is needed to get the MailItemsAccessed events back into the Office 365 audit log unless a) the events are not being captured reliably or b) the storage of so many items (for 180 million active Office 365 users open a lot of messages daily) is proving to be a challenge. In either case, Microsoft isn’t saying.
  • More events and capabilities to our audit feature set.” Well, more data is welcome, if the audit events aren’t truncated or otherwise malformed when they get to the Office 365 audit log.
  • “We are excited, etc.” Well, it’s July 4 next week, so I shall let that piece of motherhood and apple pie go by without comment.

In a nutshell, we’re working on getting MailItemsAccessed events back into the Office 365 audit log and it’ll be done by the end of Q3. Or something like that.

We await further developments.

Update October 23: Microsoft is bringing the MailItemsAccessed audit event back, but you’ll have to pay for a new Microsoft Audit 365 feature to get it. See Petri.com for more details.

Do you struggle to keep up-to-date with changing situations in Office 365? The Office 365 for IT Pros team specializes in tracking developments and then reporting what we find in the book You should have a copy!

3 Replies to “What’s Happening with the MailItemsAccessed Audit Event”

  1. This alert is saying we have multiple users accessing emails from Hungary.

    It is even reporting activity when users are asleep.

    Anyone else finding issues with this alert?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.