Audit Vault for M365

Long-term Microsoft 365 Audit Log Retention

A powerful and cost-effective solution to preserve your Microsoft 365 audit log records.

Audit Vault for M365 Highlights

Audit Vault Highlights

Watch Video »

Exchange audit log retention

Retain your Microsoft Exchange audit log records.

Exchange audit logs help prove mailbox activity, configuration changes, access controls, and security events when your organization needs defensible evidence.

  • Regulatory compliance: Support GDPR, HIPAA, SOX, FINRA, and internal audit requirements.
  • Security investigations: Preserve evidence of mailbox access, message activity, permission changes, and configuration updates.
  • Legal discovery: Retain evidence for litigation, internal investigations, and eDiscovery workflows.
  • Operational accountability: Track user and administrator behavior over time.
  • Risk management: Improve incident response with long-term Exchange audit trails.

Configuration visibility

Gain visibility into Microsoft Exchange configuration issues and administrative changes.

Mailbox access tracking

Track access to user mailboxes, delegate activity, and other important Exchange events.

Compliance support

Retain Exchange audit evidence for HIPAA, GDPR, FISMA, and internal security assessments.

Sensitive email events

Investigate deleted, moved, accessed, or modified sensitive email activity.

Audit Vault for M365 retains Microsoft Exchange audit log records, including system, user, and administrator events, without requiring expensive Microsoft license upgrades for every user.

Audit properties

Audit properties retained from Microsoft Exchange

Below is a listing of the audit properties that Audit Vault for M365 preserves from Microsoft Exchange. Use these records to investigate mailbox activity and detect suspicious activity such as deleted or moved sensitive emails.

Property Description
Creation Time: The date and time when the audit event or operation occurred in Exchange. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the exchange audit log. Examples:
  • Add-DistributionGroupMember
  • Add-MailboxLocation
  • Add-FolderPermissions
  • Add-MailboxPermission
  • Add-RecipientPermission
  • AttachmentAccess
  • Copy
  • Create
  • disable-Mailbox
  • DlpRuleMatch
  • Enable-AddressListPaging
  • enable-Mailbox
  • FolderBind
  • HardDelete
  • Install-AdminAuditLogConfig
  • Install-DataClassificationConfig
  • Install-DefaultSharingPolicy
  • Install-ResourceConfig
  • MailboxLogin
  • MailItemsAccessed
  • MessageBind
  • MipLabel
  • ModifyFolderPermissions
  • Move
  • MoveToDeletedItems
  • New-App
  • New-ExchangeAssistanceConfig
  • New-FolderMoveRequest
  • New-InboxRule
  • New-Mailbox
  • New-ReportSubmissionPolicy
  • New-SchedulingMailbox
  • Remove-MailboxPermission
  • Remove-MobileDevice
  • Remove-RecipientPermission
  • Remove-DistributionGroupMember
  • Remove-Mailbox
  • Remove-StoreMailbox
  • Remove-TenantRelocationRequest
  • Send
  • SendAs
  • SendOnBehalf
  • Set-AdminAuditLogConfig
  • Set-AntiPhishPolicy
  • Set-CASMailbox
  • Set-ConditionalAccessPolicy
  • Set-ExchangeAssistanceConfig
  • Set-HostedContentFilterPolicy
  • Set-InboxRule
  • Set-Mailbox
  • Set-MailboxJunkEmailConfiguration
  • Set-MailboxPlan
  • set-MailUser
  • Set-MalwareFilterPolicy
  • Set-OrganizationConfig
  • Set-OwaMailboxPolicy
  • Set-RecipientEnforcementProvisioningPolicy
  • Set-SyncUser
  • Set-TenantObjectVersion
  • Set-TransportConfig
  • Set-UnifiedGroup
  • SoftDelete
  • Update
  • UpdateInboxRules
User Id: The name of the user that performed the action that generated the Exchange Audit Log.
ActorInfoString: Records the exact user agent responsible for each audited event. Example: “Client=REST;Client=RESTSystem;Mozilla\/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) Powershell\/5.1.22621.3958 Invoke-MgGraphRequest[AppId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx]
Additional Properties: Stores any new properties from Exchange Audit Log that are not captured elsewhere.
Affected Items: Information about each item in the group that resulted from the audit event that created the log entry.
App Access Context: Contains the Issued at Time and a Unique Token Id for the application context for the user or service principal that performed the action.
App Id: Contains the Application Id that performed the action.
ApplicationMode:
  • Standard
  • Priveledged
App Pool Name: The name of the Application Pool that performed the action.
AuthType: The authentication type of the event that created the Exchange Audit Log. Examples:
  • Bearer
  • MSAuth1.0
Client App Id: The Id of the Microsoft Entra app that performed the access on behalf of the user.
Client Info String: Information about the email client that was used to perform the operation that created the Exchange Audit Log, such as a browser version, Outlook version, and mobile device information.
Client IP: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
Client IP Address: The IP address of the device that was used when the operation was logged that generated the audit log. The IP address is displayed in either an IPv4 or IPv6 address format.
Client Machine Name: The machine name that hosts the Outlook client that created the Exchange log.
Client Process Name: The email client that was used to access the mailbox.
Client Request Id: A GUID that is stored in the Exchange Audit log that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
Client Version: The version of the email client.
Company IP: Contains the Company IP address that triggered the event for which the audit log was created.
Contact Email1 Display Name: The Contact Email 1 address display name that generated the audit log from Exchange.
Contact Email1 Email Address: The Contact Email 1 address that generated the audit log from Exchange.
Contact Email2 Display Name: The Contact Email 2 address display name that generated the audit log from Exchange.
Contact Email2 Email Address: The Contact Email 2 address that generated the audit log from Exchange.
Correlation ID: CorrelationID is the reference point to search for logs related to the specific event or issue.
Cross Mailbox Operation: Boolean that indicates if the operation involved more than one mailbox when the Exchange audit entry was created.
Cross Mailbox Operations: Indicates if the operation that created the Exchange audit log is involved more than one mailbox.
Dest Folder: The destination folder for the event that created the Exchange Audit Log. For operations such as Move.
Dest MailboxId: Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
Dest Mailbox Owner Master Account id: Set only if the CrossMailboxOperations parameter is True. Specifies the SID (Security Identifier) for the master account SID of the target mailbox owner that generated the Exchange Audit Log.
Dest Mailbox Owner Sid: Set only if the CrossMailboxOperations parameter is True. Specifies the SID (Security Identifier) of the target mailbox.
Dest Mailbox Owner UPN: Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
Device Id: The Id of the device on which generated the Exchange Audit Log.
ExchangeMetaData: Stores information about the message that generated the Exchange Audit Log such as Subject, Message Id, Recipianct Count, Date Message was sent, who message was sent to etc.
External Access: True or False. Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator.
Folder: The folder where a group of items is located.
Folders: Collection of Exchange folders that has information about the source folders involved in an operation; for example, if folders are selected and then deleted.
IncidentId: Stores the incident Id of the Exchange Item that generated the Audit Log.
Internal Logon Type: Reserved for Microsoft use only.
ItemName: The name of the Exchange Item that created the Microsoft Exchange record.
LabelAction: Example: None
LabelAppliedDateTime: The UTC date and time the Label was applied to the Exchange object.
LabelId: The Id of the Label of the Microsoft Exchange item htat created the log.
LabelName: The name of the label of the Exchange item that generated the audit record.
Logon Type: Indicates the type of user who accessed the mailbox and performed the operation that was audited. Examples include:
  • 0 = Owner
  • 1 = Admin
  • 2 = Delegated
  • 3 = Transport (A transport service in the Microsoft datacenter)
  • 4 = SystemService (A service account in the Microsoft datacenter)
  • 5 = BestAccess (Reserved for internal use)
  • 6 = DelegatedAdmin
Logon User Display Name: The user-friendly name of the user who performed the operation that created the Exchange Audit entry.
Logon User Sid: The SID (Security Identifier) of the user who performed the operation.
Mailbox Guid: The GUID of the mailbox in Exchange that was accessed.
Mailbox Owner Master Account Sid: The Exchange Mailbox owner account's master account SID (Security Identifier).
Mailbox Owner Sid: The SID of the mailbox owner.
Mailbox Owner UPN: The email address of the person who owns the mailbox that was accessed.
Modified Object Resolved Name: This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object.
Messages Example: [ { "Id": "xxxxxx", "MessageItems": [ { "Id": "xxxxxxxx", "SizeInBytes": 0 } ], "Path": "Messages" } ]
Modified roperties: The property is included for exchange admin events. The property includes the name of the exchange property that was modified, the new value of the modified property, and the previous value of the modified object extracted from the Exchange Audit Log.
Object Id: For Exchange Audit Records it is the admin audit logging, the name of the object that was modified by the cmdlet.
Operation Count: The number of Operations involved when generating the Audit Log for Exchange.
Operation Properties: Contains additional Exchange properties such as MailAccessTyep and IsThrottled values.
Organization Id: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
Organization Name: The name of the tenant that created the audit record.
Originating Server: The name of the server from which the cmdlet was executed that generated the Exchange Audit Log from Microsoft.
Parameters: The name and value for all the parameters that were used with the cmdlet that is identified in the Exchange Audit Log Operations property.
PolicyDetails: Example: example: [ { "PolicyId": "00000000-0000-0000-0000-000000000000", "Rules": [ { "Actions": [], "ConditionsMatched": { "ConditionMatchedInNewScheme": true, "OtherConditions": [ { "Name": "SensitivityLabels", "Value": "defa4136-0d19-0005-0004-bc88718845d2" } ] }, "RuleId": "defa4170-0d19-0005-0004-bc88714305d2", "RuleMode": "Enable", "RuleName": "defa4170-0d19-0005-0734-bc88714345d2", "Severity": "Low" } ] } ]
Receivers: Stores and array of Receivers email addresses that were a part of the Exchange item.
Record Type: Stores the Id of the record type for the Exchange Audit Log.
Examples:
1: ExchangeAdmin events
2: ExchangeItem events.
3: ExchangeItemGroup events.
50: ExchangeItemAggregated events.
Request Id: A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
Resource URL: The ResourceURL stores the url of where the source of the audit request originated. Examples include:
https://outlook.office.com/
https://graph.microsoft.com
https://clients.config.office.net/
Result Status: Indicates whether the action (specified in the Operation property) was successful or not.For Exchange admin activity, the value is either True or False.
Save to Sent Items: SaveToSentItems (boolean) indicates if the sent email is saved to the users Sent Items folder or not.
Scope: Indicates if this Exchange event was created by a hosted O365 service or an on-premises server.
Send As User Mailbox Guid: The Exchange GUID of the mailbox that was accessed to send email as.
Send As User Smtp: SMTP address of the user who is being impersonated when the Exchange activity occurred.
Sender: The email address of the sender for the Exchange Item that generated the log.
Send On Behalf Of User Mailbox Guid: SMTP address of the user on whose behalf the email is sent that created the Exchange Audit Log.
Send On Behalf Of User Smtp: The Exchange GUID of the mailbox that was accessed to send mail on behalf of.
SensitiveInfoDetectionIsIncluded: Indicates True or False if sensitive information is included for the Exchange item that generated the audit log.
Session Id: Stores the Session Id that triggered the event for the audit log.
TokenObjectId: Stores the Token Object Id of the event that generated the audit log.
TokenTenantId: Stores the Token Tenant Id of the event that generated the audit log.
TokenType: Stores the Token Type of the event that generated the audit log. Examples:
  • SubstrateProcessorCallbackPft
  • V1AppActAs
  • AadPft
Unique Token Identifier: The UniqueTokenIdentifier contains the unique identifier for the token passed during the sign-in. This identifier is used to correlate the sign-in with the token request.
User Key: An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
User Type: The type of user that performed the operation that generated the Exchange Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management API that executed the request to retrieve the Exchange Audit Logs.
Workload: The Office 365 service where the activity occurred.
Note: Audit Vault for M365 stores the values for the properties listed above only when they are returned from Microsoft. Some information is present only when it is applicable to the audit event.