Forum Discussion
Email Entity - Preview Email
Hello all,
I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails.
Nick
5 Replies
Hello,
Currently, there is no specific audit event that logs when a user clicks the “Email Preview” button on the email entity page in Microsoft 365 security portals.
The preview function is a rendering of the MIME content by the security service layer. It is not considered a traditional mailbox access (such as Outlook, EWS, MAPI, or delegate access). Because of this, there is no dedicated event like “EmailPreviewViewed” recorded in the audit logs.
However, what can be monitored in practice is the AdminMailAccess event. This event is generated when an administrator accesses the content of a mail item in an administrative context.
You can find this event in Microsoft Purview (Audit log) by filtering on:
Operation = AdminMailAccess
It can also be queried in Microsoft Defender XDR using Advanced Hunting with the CloudAppEvents table.
Example KQL query:
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp,
Actor = AccountDisplayName,
OpenedMailbox,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ReportId
| order by Timestamp descThis allows you to identify:
– Who accessed the email
– Which mailbox was accessed
– The specific message (via InternetMessageId)
– Sender, recipient, subject, and report IDIt is important to note that not every preview scenario may generate AdminMailAccess, depending on how the backend processes that specific action. There is still no granular “button click” level auditing.
If insider risk is a concern, the recommended controls are:
– Limit privileged roles such as Security Administrator, Compliance Administrator, and eDiscovery Manager
– Enforce Privileged Identity Management (PIM) with just-in-time activation
– Monitor privileged role assignments and activations
– Create analytic rules (e.g., in Microsoft Sentinel) to detect abnormal volumes of AdminMailAccess, access outside business hours, or access to VIP mailboxesIn summary, there is no direct audit log for clicking “Email Preview,” but AdminMailAccess can be used as the closest available monitoring mechanism, combined with proper RBAC and PIM governance controls.
It can be done by getting "Data Investigator" role in Purview> roles and groups
- Hey Nick,
have you found a solution? I couldn't find any.
Thanks a lot.
Regards Patrick- I found it! compliance portal - audits - Activities - operation names = AdminMailAccess
Hello PatrickEl
I missed your reply my apologies.
We did find a solution and we also found a KQL that we converted to an analytic rule
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
| order by Timestamp descHope it helps
Nick
