Hi,

I’m struggling to audit which emails have been accessed (preview, open, download) by non-owners in Defender -> Email & Collaboration -> Explorer

Global config:
UnifiedAuditLogIngestionEnabled : True
User config:
AuditEnabled : True
AuditAdmin includes “MailItemsAccessed”

Not able to find any email access records by using powershell, Purview or Sentinel (Office 365 data connector is active)

CloudAppEvents | where ActionType == “AdminMailAccess” does not work anymore. I heard that it was working some time ago. 

A bug or a feature? Any ideas on what I’m missing?

​Hi, I’m struggling to audit which emails have been accessed (preview, open, download) by non-owners in Defender -> Email & Collaboration -> Explorer Global config:UnifiedAuditLogIngestionEnabled : TrueUser config:AuditEnabled : TrueAuditAdmin includes “MailItemsAccessed”Not able to find any email access records by using powershell, Purview or Sentinel (Office 365 data connector is active) CloudAppEvents | where ActionType == “AdminMailAccess” does not work anymore. I heard that it was working some time ago.  A bug or a feature? Any ideas on what I’m missing?  Read More

​