Exchange administrator audit logging—which is enabled by default in Office 365—logs an event in the Office 365 audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Windows PowerShell are logged in the Exchange admin audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging. Here are some tips for searching for activity in the Exchange admin audit log:

  • To return entries from the Exchange admin audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.

  • To display events from the Exchange admin audit log, filter the search results and type a (dash) in the Activity filter box. This will display cmdlet names, which are displayed in the Activity column for Exchange admin events. Then you can sort the cmdlet names in alphabetical order.

Type a dash in the Activities box to filter Exchange admin events

  • To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you will have to export the search results and select the Download all results option.