Forum Discussion

Lucaraheller's avatar
Lucaraheller
MCT
Mar 03, 2026

Hello,

Currently, there is no specific audit event that logs when a user clicks the “Email Preview” button on the email entity page in Microsoft 365 security portals.

 

The preview function is a rendering of the MIME content by the security service layer. It is not considered a traditional mailbox access (such as Outlook, EWS, MAPI, or delegate access). Because of this, there is no dedicated event like “EmailPreviewViewed” recorded in the audit logs.

 

However, what can be monitored in practice is the AdminMailAccess event. This event is generated when an administrator accesses the content of a mail item in an administrative context.

 

You can find this event in Microsoft Purview (Audit log) by filtering on:

Operation = AdminMailAccess

It can also be queried in Microsoft Defender XDR using Advanced Hunting with the CloudAppEvents table.

Example KQL query:

CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp,
Actor = AccountDisplayName,
OpenedMailbox,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ReportId
| order by Timestamp desc

This allows you to identify:
– Who accessed the email
– Which mailbox was accessed
– The specific message (via InternetMessageId)
– Sender, recipient, subject, and report ID

 

It is important to note that not every preview scenario may generate AdminMailAccess, depending on how the backend processes that specific action. There is still no granular “button click” level auditing.

 

If insider risk is a concern, the recommended controls are:

– Limit privileged roles such as Security Administrator, Compliance Administrator, and eDiscovery Manager
– Enforce Privileged Identity Management (PIM) with just-in-time activation
– Monitor privileged role assignments and activations
– Create analytic rules (e.g., in Microsoft Sentinel) to detect abnormal volumes of AdminMailAccess, access outside business hours, or access to VIP mailboxes

 

In summary, there is no direct audit log for clicking “Email Preview,” but AdminMailAccess can be used as the closest available monitoring mechanism, combined with proper RBAC and PIM governance controls.