Blog Post

Microsoft Security Blog
2 MIN READ

Multi-Geo Exchange Online Admin Audit Logs

rtarunkumar's avatar
rtarunkumar
Icon for Microsoft rankMicrosoft
Apr 14, 2023

We’re excited to announce that Exchange admin audit logs are now available from all geo locations for Multi-Geo tenants in Office 365. This feature is only applicable for tenants utilizing Multi-Geo Capabilities in Microsoft 365 using Multi-Geo license.  In a Multi-Geo environment, a Microsoft 365 Tenant consists of a Primary provisioned location (where Microsoft 365 subscription was originally provisioned) and one or more satellite locations.

 

 

Prior to the release of this feature, exchange admin audit events were available only for the Primary provisioned location. With the rollout of this feature, the exchange admin audit events are now available from satellite locations as well.

 

Tenant Admins can use Microsoft Purview and the Search-UnifiedAuditLog cmdlet to search the exchange admin audit log events generated from satellite locations. All tenants utilizing Multi-Geo Capabilities in Office 365 have this feature enabled by default if audit logging is turned on.

 

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

 

 

 

 

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

 

 

 

 

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn't turned on.

 

Let’s look at an example:

When EUR administrator changes the litigation hold on a mailbox using Set-Mailbox cmdlet, this event will be sent to Office 365 Audit storage via Auditing event pipeline.

 

 

 

 

PS C:\Users\euradmin> Set-Mailbox user@contoso.OnMicrosoft.com -LitigationHoldEnabled $false

 

 

 

 

 

Tenant administrators can use the following methods to search for this event:

 

Events can be searched between a specified date range, or the results can be filtered based on specific criteria, such as the user who performed the action or the target object.

 

 

 

 

$start = (Get-Date).AddDays(-1); $end = (Get-Date);

Search-UnifiedAuditLog -StartDate $start -EndDate $end -UserIds euradmin@contoso.OnMicrosoft.com

 

 

 

 

 

The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing.

 

Most auditing data will be available within 60-90 minutes, but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. Refer Before you search the audit log that shows the time it takes for events in the different services to be available.

 

Note:

Exchange admin audit events from satellite location is not available through Search-AdminAuditLog.

 

Resources:

Updated Apr 14, 2023
Version 3.0
  • Yay! And at the same time - what took you so long?! Any plans to address the mailbox log scenario?