You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 4
Next »
Description
Events from the Exchange admin audit log.
Log Structure
Sample Office365ExchangeAdmin log
[
{
"CreationTime": "2022-03-14T08:57:52",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "Enable-AddressListPaging",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 1,
"ResultStatus": "True",
"UserKey": "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)",
"UserType": 3,
"Version": 1,
"Workload": "Exchange",
"ObjectId": "contoso.onmicrosoft.com",
"UserId": "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)",
"AppId": "",
"ClientAppId": "",
"ExternalAccess": true,
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "ME3P282MB3790 (15.20.5061.028)",
"Parameters": [
{
"Name": "DoNotUpdateRecipients",
"Value": "True"
},
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "PHP101A112.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com"
}
]
}
]
Table Fields
Field | Description |
|---|
TABLE | Office365ExchangeAdmin |
RECORDTYPE | RecordType is “1”, more details about RecordType here. |
APPID | AppId - No available documentation for this field. |
CLIENTAPPID | ClientAppId - No available documentation for this field. |
MODOBJECTRESOLVENAME | ModifiedObjectResolvedName - This is the user friendly name of the object that was modified by the cmdlet.
This is logged only if the cmdlet modifies the object. |
MODIFIEDPROPERTIES | ModifiedProperties - The property is included for admin events.
The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object. |
PARAMS | Parameters - The name and value for all parameters that were used with the cmdlet that is identified in the Operations property. |
EXTERNALACCESS | ExternalAccess - Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator.
The value False indicates that the cmdlet was run by someone in your organization.
The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator. |
ORIGINATINGSERVER | OriginatingServer - The name of the server from which the cmdlet was executed. |
ORGNAME | OrganizationName - The name of the tenant. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP. |
Notes
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#exchange-admin-schema
