Interpreting the Office 365 MailItemsAccessed Audit Event



If you have Office 365 E5 licenses, your mailboxes generate MailItemsAccessed events. These events are stored in the Office 365 audit log and can be used for investigating potentially compromised mailboxes. Useful information is in the audit events, but some processing is needed to extract the full benefit. Here's how to do it with PowerShell.

5 Replies

How did you get it to work though? Still zero events captured here, still not able to add MailItemsAccessed to the Audit properties, still throws a license error.

Of course. Or do you think I compose these articles under the influence of magic mushrooms?

Um, the question was "how" :)

I did absolutely nothing. The events appear for accounts with E5 licenses.

Well, still no luck in my tenant, with E5. The wait game continues...