Versions Compared

Version Old Version 1 New Version Current
Changes made by

Svetlana Sheptiy

Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Description

Events from the Exchange admin audit log.

Log Structure

Expand
titleSample Office365ExchangeAdmin logof Office365ExchangeAdmin Event (in JSON format)
[
{
"CreationTime": "2022-03-14T08:57:52",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "Enable-AddressListPaging",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 1,
"ResultStatus": "True",
"UserKey": "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)",
"UserType": 3,
"Version": 1,
"Workload": "Exchange",
"ObjectId": "contoso.onmicrosoft.com",
"UserId": "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)",
"AppId": "",
"ClientAppId": "",
"ExternalAccess": true,
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "ME3P282MB3790 (15.20.5061.028)",
"Parameters": [
{
"Name": "DoNotUpdateRecipients",
"Value": "True"
},
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "PHP101A112.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com"
}
]
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeAdmin

RECORDTYPE

Based on RecordType

is “1” - details

, this field indicates the operation performed by the record.
For this log type its value is 1.
For available RecordType values, you can visit Microsoft’s documentation here.

APPID

AppId - No

Based on AppId, there’s no available documentation for this field.

CLIENTAPPID

ClientAppId - No

Based on ClientAppId, there’s no available documentation for this field.

MODOBJECTRESOLVENAME

ModifiedObjectResolvedName - This is

Based on ModifiedObjectResolvedName, this field contains the the user-friendly name of the object that was modified by

the cmdlet. This is logged only if

the cmdlet

modifies the object

.

MODIFIEDPROPERTIES

Parameters - The name and value for all parameters that were used with the cmdlet that is identified in the Operations property.

PARAMS

ModifiedProperties - The property is included for admin events. The property includes

Based on ModifiedProperties, this field contains the name of the property that was modified, the new value of the modified property, and the previous value of the modified object.

PARAMS

Based on Parameters, this field contains the name and value for all parameters that were used with the cmdlet that is identified in the Operations property.

EXTERNALACCESS

ExternalAccess - Specifies

ORIGINATINGSERVER

OriginatingServer - The

Based on ExternalAccess, this field contains the details that specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator.

The value False indicates that the cmdlet was run by someone in your organization.

The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.

ORIGINATINGSERVER

Based on OriginatingServer, this field contains the name of the server from which the cmdlet was executed.

ORGNAME

OrganizationName - The

Based on OrganizationName, this field contains the name of the tenant.

SNAREDATAMAP

All unclassified field

/s in the log

(s) parsed from this log type will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#exchange-admin-schema