Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Audit Logs for Exchange Mail Flow Rule Changes

            Created by Rohit Yadav, Modified on Sun, 31 Aug at 10:48 AM by Rohit Yadav

            ? Overview

            Exchange Online administrators often need to track changes to mail flow (transport) rules for compliance and troubleshooting purposes.

            This article explains how to check audit logs to identify:

            • Who created, modified, or deleted a mail flow rule.
            • When the change occurred.
            • What specific changes were made to the rule.

            ✅ Prerequisites

            You must have the following:

            • Roles:
              • Audit Logs role in Microsoft Purview
              • Exchange Administrator or Global Administrator
            • Unified Audit Logging must be enabled in your tenant

            ? Methods to Check Rule Changes

            1. Using Microsoft Purview Compliance Portal

            1. Go to Microsoft Purview Audit Portal.
            2. Navigate to: Audit → Audit Search.
            3. In the Activities field, enter these operations:
            New-TransportRule     → Rule Creation Set-TransportRule     → Rule Modification Enable-TransportRule  → Rule Enabled Disable-TransportRule → Rule Disabled Remove-TransportRule  → Rule Deletion  
            1. Set the date range and click Search.
            2. Review the results and export if needed.

            2. Using PowerShell (Recommended for Detailed Output)

            Run the following command to search audit logs for transport rule changes:

            Search-UnifiedAuditLog -StartDate "08/20/2025" -EndDate "08/28/2025" ` -Operations New-TransportRule,Set-TransportRule,Enable-TransportRule,Disable-TransportRule,Remove-TransportRule ` -RecordType ExchangeAdmin | Export-Csv -Path "C:\AuditReports\TransportRuleAudit.csv" -NoTypeInformation  

            ? Explanation of Parameters

            • StartDate / EndDate → Date range for the search.
            • Operations → Types of rule operations (create, modify, enable, disable, delete).
            • RecordType ExchangeAdmin → Limits search to Exchange admin activities.
            • Export-Csv → Saves the output in CSV format for easy analysis.

            ? Output Example

            UserOperationRuleNameDateDetails
            admin@contoso.comNew-TransportRuleBlock External Mail2025-08-21Rule created with conditions...
            helpdesk@contoso.comSet-TransportRuleBlock External Mail2025-08-25Modified action: Added BCC...

            ? Notes

            • Always ensure Unified Audit Log is enabled, otherwise no data will be captured.
            • For long-term retention, configure Audit log retention policies in Microsoft Purview.
            • Microsoft Docs Reference: Search the audit log in the compliance portal

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0