Microsoft launched the MailItemsAccessed audit event (to capture when email is opened) in January, reversed the roll-out in April, and now might restart sometime in Q3. It’s an odd situation that isn’t really explained by a statement from Microsoft. Are they going to charge extra for this audit event? Will they be analyzing the events? Or does Office 365 capture too many mail items accessed events daily?
Announced in January, paused in March – that’s the fate of the MailItemsAccessed audit record generated by Exchange Online for the Office 365 audit log. Microsoft found some problems that they are fixing, which is good (because you want audit data to be reliable). And when the fixes are available, the deployment of the new audit record will restart.
Exchange Online will soon capture audit records for any access to a message in a mailbox. Initially, the audit records will not be ingested into the Office 365 audit log, but that will happen in the future.
Exchange Online sends its mailbox audit records to the Office 365 audit log. You can search the log to discover who deleted messages from mailboxes, normally only an issue when delegates are involved.