How to Collect Exchange Online Audit Logs | Office 365 Management API

Step-by-step guide to ingesting Exchange Online audit logs using the Office 365 Management Activity API. Monitor mailbox access, email send/receive events, and admin actions.

3 minute read

Overview

Exchange Online audit logs capture mailbox activities, email operations, and administrative actions in your Microsoft 365 environment. Use this guide to monitor mailbox access, track email send/receive events, detect unauthorized access, and maintain compliance records.

Common Use Cases:

Monitor mailbox access and delegation changes
Track email send-as and send-on-behalf operations
Detect unauthorized mailbox access
Audit admin actions on mailboxes and transport rules
Maintain compliance records for email operations

Requirements: Edge Delta Agent v2.6.0+ and unified audit logging enabled in your Microsoft 365 tenant.

Prerequisites

Before configuring Edge Delta, complete the Office 365 Management API setup:

Enable unified audit logging in Microsoft Purview compliance portal
Register an Azure AD application with Office 365 Management APIs permissions
Grant the ActivityFeed.Read permission and obtain admin consent
Start the Audit.Exchange subscription (one-time setup)

For detailed setup instructions, see Office 365 Management API Integration.

Start Exchange Subscription

Run this command once to enable Exchange audit log collection:

# Get OAuth token
TOKEN=$(curl -X POST "https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token" \
  -d "client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=https://manage.office.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

# Start Exchange subscription
curl -X POST "https://manage.office.com/api/v1.0/{TENANT_ID}/activity/feed/subscriptions/start?contentType=Audit.Exchange&PublisherIdentifier={TENANT_ID}" \
  -H "Authorization: Bearer ${TOKEN}"

Configuration

Basic Exchange Audit Collection

nodes:
- name: exchange_audit_logs
  type: http_pull_input
  endpoint: https://manage.office.com/api/v1.0/YOUR_TENANT_ID/activity/feed/subscriptions/content
  method: GET
  pull_interval: 5m

  authorization:
    strategy: oauth_client_credentials
    client_credentials:
      token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
      client_id: YOUR_CLIENT_ID
      client_secret: YOUR_CLIENT_SECRET
      scopes:
        - https://manage.office.com/.default
      header_templates:
        - header: Authorization
          value: Bearer $ACCESS_TOKEN

  parameters:
    - name: contentType
      value: Audit.Exchange
    - name: PublisherIdentifier
      value: YOUR_TENANT_ID

  parameter_expressions:
    - name: startTime
      value_expression: FormatTime(Now() - Duration("6m"), "%Y-%m-%dT%H:%M:%SZ")
    - name: endTime
      value_expression: FormatTime(Now() - Duration("1m"), "%Y-%m-%dT%H:%M:%SZ")

  pagination:
    url_json_path: contentUri
    response_format: json
    max_parallel: 3
    inherit_auth: true
    error_strategy: continue

Exchange Audit Operations

Mailbox Access Operations

Operation	Description
`MailboxLogin`	User logged into mailbox
`MailItemsAccessed`	Items accessed in mailbox
`FolderBind`	Folder opened
`MessageBind`	Message opened

Email Send Operations

Operation	Description
`Send`	Email sent
`SendAs`	Email sent as another user
`SendOnBehalf`	Email sent on behalf of another user

Admin Operations

Operation	Description
`Add-MailboxPermission`	Mailbox access granted
`Remove-MailboxPermission`	Mailbox access revoked
`Set-Mailbox`	Mailbox settings changed
`New-TransportRule`	Transport rule created
`Set-TransportRule`	Transport rule modified

Sample Exchange Audit Log

{
  "CreationTime": "2024-01-01T10:00:00",
  "Id": "exchange-audit-guid",
  "Operation": "SendAs",
  "OrganizationId": "org-guid",
  "RecordType": 2,
  "ResultStatus": "Succeeded",
  "UserKey": "user-key",
  "UserType": 0,
  "Workload": "Exchange",
  "UserId": "user@company.com",
  "ClientIP": "192.168.1.100",
  "MailboxOwnerUPN": "executive@company.com",
  "MailboxOwnerSid": "S-1-5-...",
  "MailboxGuid": "mailbox-guid",
  "Item": {
    "Id": "item-id",
    "Subject": "Monthly Report",
    "ParentFolder": "Sent Items",
    "InternetMessageId": "<message-id@company.com>"
  },
  "SendAsUserSmtp": "executive@company.com"
}

Key Fields for Analysis

Field	Description	Use Case
`Operation`	Action performed	Identify activity type
`UserId`	Who performed the action	Attribute activity to user
`MailboxOwnerUPN`	Mailbox owner	Identify target mailbox
`ClientIP`	Source IP address	Detect anomalous access
`Item.Subject`	Email subject	Content context
`ResultStatus`	Succeeded or Failed	Track failures

High-Value Operations to Monitor

Operation	Risk Level	Description
`SendAs`	High	Sending as another user
`Add-MailboxPermission`	High	Granting mailbox access
`MailboxLogin` (unusual location)	High	Anomalous access
`HardDelete`	Medium	Permanent deletion
`MoveToDeletedItems`	Low	Items deleted

Troubleshooting

Issue	Solution
Empty results	Verify Audit.Exchange subscription is started
401 Unauthorized	Check client credentials and tenant ID
403 Forbidden	Ensure `ActivityFeed.Read` permission has admin consent
Missing operations	Enable mailbox auditing for affected mailboxes

Enable Mailbox Auditing

If some operations are missing, enable auditing for specific mailboxes:

# Enable auditing for a mailbox
Set-Mailbox -Identity "user@company.com" -AuditEnabled $true

# Enable specific audit actions
Set-Mailbox -Identity "user@company.com" -AuditOwner @{Add="MailItemsAccessed","Send"}

Office 365 Management API Overview - Complete API reference
SharePoint Audit Logs - File and site monitoring
Teams Audit Logs - Teams activity monitoring