How to see the IP addresses from where your Office 365 users are accessing their mailbox

In our support experience we had multiple cases where customers wanted to know the IP address from where some of their users have logged in to Outlook Web App or in Outlook client. In the past, this kind of information could not be retrieved from the Office 365 side and only the customers with an Azure subscription had access to these details.



As per the last news, we will enable mailbox auditing by default in the near future, for all cloud mailboxes.

So the steps below from 1 to 3, to enable mailbox auditing for mailbox login events, will not be needed, once the auditing will be enabled automatically for all Office 365 mailboxes:



Now this information can be retrieved from new Office 365 Compliance Center(,  from the Audit log search, under “Search and Investigation” section.

In order to be able to see the connecting IP address for your users, you have to follow next steps:


1. First you need to enable company auditing from Compliance Center. For this step you can find guidance in the next article:


2. Since the activity that you need to look for is called “User signed in to mailbox”  and it is a mailbox activity, this requires to enable mailbox auditing for that user from Exchange Online:

You can do this via PowerShell, using  below command:

Set-Mailbox -Identity $true


3. At the same time “User signed in to mailbox” action is a mailbox owner activity. In Exchange Online, even if you enable mailbox auditing, this does not mean that all the activities from that mailbox will be recorded.

Mailbox auditing has 3 types of recorded activities levels, which can be seen with below command:

 $FormatEnumerationLimit = -1
Get-Mailbox |fl *audit*

AuditEnabled     : true

AuditLogAgeLimit : 90.00:00:00

AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}

AuditOwner       : {}

As you can notice, by default, we have no action recorded for AuditOwner  .

So if you need to record the user login activity, you can easily do it with below command:

 Set-Mailbox -AuditOwner MailboxLogin


Please refer to below article for more details about what kind of actions you can audit in Exchange Online and about how to enable the auditing for them:


4. Once you finished this setup for each user that you want to audit, you should perform the search from Compliance Center. Please be aware that auditing will record only the actions that were performed after the moment you enabled it, as per above procedure.


The result should be similar to the one from picture below :



Comments (12)
  1. turbomcp says:

    is that true for http/rpc also?

    1. Nicu Simion says:


      Thank you for your question,

      I have just connected with a test user from Outlook client(MAPI over HTTP) and this connection was also audited, so I could see the IP address from where I made the Outlook connection. About RPC connections, I don’t have an available client where to test, but I guess it is not relevant anymore, as this protocol will soon not be supported anymore.(,-2017)

      So the answer is yes, it applies to both OWA/Outlook access.

      1. turbomcp says:

        thanks for fast reply

  2. JohnnyDh says:

    Hi Nicu,

    Superb article, kudos!

    Will this work for migrated mailboxes (on-prem to cloud) also?

    1. Nicu Simion says:

      Hello Johnny and thank you for your feedback,

      Once a mailbox is migrated to Exchange Online and the user is assigned with an Exchange License(otherwise it cannot access OWA/Outlook), the auditing should work in this scenario as well, but of course, you need first to enable the audited actions for the user, as described here.

  3. anon says:

    I am struggling to find a way to get this data programmatically…I want to get this data out, not login to a website to see. Is there a way I can do that?

    1. Nicu Simion says:


      You have the option to connect to Compliance Center from PowerShell, using the steps from this article:

      Then you can run below command, that will return you all the activities of “mailboxlogin” for a particular user, like in below example:

      Search-UnifiedAuditLog -StartDate 7/1/2017 -EndDate 7/30/2017 -UserIds -Operations MailboxLogin -Formatted

      If you want to export the login information to a csv file, for all the users that have audit enabled for this activity, you can do it very easily:

      Search-UnifiedAuditLog -StartDate 7/1/2017 -EndDate 7/30/2017 -Operations MailboxLogin -Formatted |Export-Csv -Path C:\temp\mailboxlogin.csv

      You can see the connection details, such as the IP address, on the AuditData section from the returned output.

      Also I need to mention that getting this data from Powershell will NOT bypass the pre-requisites mentioned into this port.

  4. Fabrizio Zavalloni says:

    Will it be available for Exchange 2016?

    1. Nicu Simion says:

      Hello Fabrizio,

      Currently this feature is available only for Exchange Online mailboxes, from new Compliance Center portal.

  5. DannyK says:

    Thanks for the article. I tried to locate a computer on the shared network that was used to send an email. T turned the audit log for a test account using:
    Set-Mailbox -Identity $true
    Set-Mailbox -AuditOwner MailboxLogin
    I got the result for “User signed in to mailbox”, but the Client IP address show the gateway IP address of the shared network, not the actual workstation IP. Is there away to capture actual workstation IP?

    1. Nicu Simion says:

      Hi Danny,

      As long as your clients are configured to use a gateway or a proxy server to get access to internet, then all the incoming connections to our servers will be sent of behalf of the gateway/proxy server IP address.

      1. DannyK says:

        Thanks, Nicu!

        The shared gateway/proxy address could also be found in the message header, so the information in audit log doesn’t help when it comes to investigation.

Comments are closed.

Skip to main content