How to see which mailboxes an admin has accessed: Office 365

Admins of a network who have been allowed full access to Office 365 may do far more than read messages; they can delete emails, change or copy mailbox content, and even transmit important emails to third parties – all of which might jeopardize data security or cause data loss. As a result, users must be aware anytime an admin in Office 365 visits another user’s or shared mailbox, as well as be able to trace exactly what they did throughout each access session. While there are quite a few unconventional methods to access and view this information, most of the convenient methods can only be accessed by EAC, PowerShell and Azure AD. This limits the amount of content you have access to however, with Office 365 access you can see which mailboxes an admin has accessed Office 365 by running and viewing an audit report. Follow the steps below to see how.

Step by step process – How to see which mailboxes an admin has accessed: Office 365

  • First, sign into your Microsoft 365 account.
  • Go to the app launcher in the top left.
  • Then select “Admin” from the list of apps.
  • Click the menu icon in the top left of the Admin center.
  • Click on “Show all” to reveal more Admin centers.
  • Select “Exchange.”
  • Go to “Other features” in the left menu of the Exchange admin center.
  • Locate “Auditing” and click the link under “Current location.”
  • Now select “Run a non-owner mailbox access report.”
  • Select a start and end date.
  • Select mailboxes to search, or leave blank to search all mailboxes.
  • Select “Administrators” under “Search for access by.”
  • Finally, click the “Search” button.

The search results show you exactly what actions were taken, who did them, and when and where they were performed. Due to limitations imposed by either the admin or the mailbox owner, not every sort of mailbox activity is audited by default, thus you may not see every type of mailbox access shown in this report.

The Exchange admin center’s (EAC) Non-Owner Mailbox Access Report shows which mailboxes have been accessed by someone other than the mailbox owner. When a non-owner accesses a mailbox, Exchange records the information this includes admins. This mailbox audit log is stored in a secret folder in the audited mailbox as an email message. Any mailboxes accessed by a non-owner, who accessed each mailbox and when, the actions done by non-owners, and whether or not the activities were successful are all displayed as search results in the report.

Exchange keeps track of particular activities taken by non-owners, such as administrators and users with mailbox access (who are called delegated users). You may also limit your search to users inside or outside your company. Exchange keeps information in the mailbox audit log for 90 days by default.

Exchange allows you to keep track of all modifications and access events throughout your Exchange Server and Exchange Online environments, including events such as when another user views another user’s mailbox. The solution not only indicates that an Office 365 user has obtained access to another mailbox; it also reveals which things the user has seen, modified, or deleted.

Other methods to access admin mailbox viewing

Another way to view the audit information is to use PowerShell. You can use scripted commands to run the audit task and allow Microsoft to do the work and audit the mailboxes for you. Codes will be required but the scripted codes can be found on Microsoft PowerShell, script commands. This method does pose a risk as you may cause an error if the command or command sequence is not typed out correctly.

Another method is to use retention to create a new rule which allows users to create a command directly in EAC allowing them to access the information quite effectively. However, similar to running a command with the help of PowerShell, users have to ensure that errors in the command or sequence of commands used to allow for the auditing are types out correctly.

Check the search results window to see if you’ve successfully conducted a non-owner mailbox access report. The mailboxes for which you run the report, whether for an individual user or a group of users, are displayed in the results pane. If no results are returned for a given mailbox, it’s conceivable that no non-owner access was granted or that no non-owner access was granted during the provided date period. Check that audit logging is set for the mailboxes you wish to scan for non-owner access, as we previously suggested.

Permission settings – Can you access audit logs?

While network preferences set for the users by admins restrict you from creating a new rule or direct command through Powershell, you may still need to keep an eye out for other permissions that could potentially prevent you from viewing the information in Exchange.

OwnerAll objects and files may be created, read, modified, and deleted, as well as subfolders. You can alter the permission levels that other users have for the folder as the folder owner. (Note that this does not apply to delegates.)
Publishing editorAll documents and files may be created, read, modified, and deleted, as well as subfolders. (Note that this does not apply to delegates.)
EditorAll things and files may be created, read, modified, and deleted.
Publishing AuthorCreate and read things and files, as well as subfolders, as well as change and remove items and files. (Note that this does not apply to delegates.)
AuthorCreate, read, and change things and files, as well as remove items and files you’ve created.
ContributorOnly create objects and files. The folder’s contents do not appear. (Note that this does not apply to delegates.)
ReviewerOnly read objects and files.
CustomCarry out the tasks specified by the folder’s owner. (Note that this does not apply to delegates.)
NoneYou do not have authorization. You are unable to open the folder.

In depth Step by step process – How to see which mailboxes an admin has accessed Office 365?

Step by step breakdown:

  • Click the menu icon in the top left of the Admin center. (1)
  • Click on “Show all” to reveal more Admin centers. (2)
  • Select “Exchange.” (3)
  • Go to “Other features” in the left menu of the Exchange admin center. (1)
  • Locate “Auditing” and click the link under “Current location.” (2)
  • Now select “Run a non-owner mailbox access report.”
  • Select a start and end date. (1)
  • Select mailboxes to search, or leave blank to search all mailboxes. (2)
  • Select “Administrators” under “Search for access by.” (3)
  • Finally, click the “Search” button. (4)

That’s it for this Blog — thank you for taking time out to read our content, please feel free to email our team about how it went if you followed the steps or if you need more help with the questions we answered in this Blog.

Saajid Gangat

Saajid Gangat has been a researcher and content writer at Business Tech Planet since 2021. Saajid is a tech-savvy writer with expertise in web and graphic design and has extensive knowledge of Microsoft 365, Adobe, Shopify, WordPress, Wix, Squarespace, and more! You can connect with Saajid on Linkedin.

Recent Posts