Exchange Online Transport Rule Audit

This is a topic that still comes up when doing email investigations.  After there has been an issue, we want to perform analysis to determine what may have happened any potentially why certain security controls did not act the way we expected.

With email one example would be around the audit information collected when an Exchange Online transport rule acts upon a message.

It is common to see that admins have removed the “Audit this rule with severity level”.  As noted above this is not a new issue.  If we consult Andrew Stobart’s archived blog, we can find this post Troubleshooting Transport Rules that are set to “Do not audit”.  Yet another great blog that was cast into the abyss Sad smile

The option is indicate below by the wonderful pink arrow.  Note that the option is selected by default when creating a new rule.

Exchange Online Transport Rule Audit Setting

Note that the term Exchange Transport Rule (ETR) is commonly used to describe these rules.

Audit Enabled

In the below test, the ETR is set with the audit option enabled.  The severity level is for your use as you may deem a particular ETR to be critical and it should be listed on the high priority report.  But that is all up to you as it is to help your administrative tasks.

Exchange Online Transport Rule Audit Enabled For This Rule

When we perform a standard message trace, note that we see the that the message has been acted upon by the ETR.
There are two rules that acted upon the message and the entries are noted inside the red box.

Message Trace Showing ETR Processed The Message

If we expand the details, the names of the relevant rules are shown,  In this lab the two rules that fired on this message are:

  1. Stamp External Warning – Message Subject
  2. Stamp External Warning – Message Body

Message Trace Showing ETR Processed The Message - Details

Audit Disabled

If we disable the audit setting, again indicated by a that pink arrow, note that this changes the troubleshooting information that is available to us.

Exchange Online Transport Rule Audit Disabled For This Rule

If we run a standard message trace, note that there is no indication that a transport rule fired on this message.

All we see if that the message was received, then delivered.  Nothing else.

Message Trace Does NOT SHOW ETR Processed The Message


If you remove the audit this rule setting from the ETR, then you will not see any information about actions the rule has taken in a standard message trace.  You will be forced to run the detailed message trace that will take considerably longer to complete.
Just leave the option enabled, unless you have a very specific reason for doing so.

Also in memory of Andrew’s blog – here is one of his trademark images:

Andrew Stobart Blog - Xbox Fan or What?



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *