Investigate Activity on a User's Account

To investigate a suspected compromised account, the Microsoft 365 Security & Compliance Center and the Azure Portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.

  1. Track messages in Exchange Admin Center or Security and Compliance Center to see if bulk or spam like messages are being sent from the mailbox.
  2. Check to see if the account is blocked from sending.
    1. Go to Security and Compliance Center
    2. Under Threat Management click Review > Restricted Users
    3. Here you can see if the user is currently restricted by the protection system. Which could mean a compromised account.
  1. Check Rules and personal Forwarding.
    1. Go to the Exchange Admin Center.
    2. Click your profile button in the top right of the page and select Another user...
    3. Type the name of the user and press OK or find the user in the list and double click.
    4. Here you can find information on the users mailbox.
      1. Under Account > Connected Accounts, you can see if there are any messages being forwarded
      2. Under Organize Mail > Inbox Rules, see if there are any suspicious rules in the account.
  2. Office 365 Unified Audit Logs in the Security & Compliance Center - Review all the activities for the suspected account by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date. Do not filter on the activities during the search.
  3. Use the Azure AD Sign-in logs and other risk reports that are available in the Azure AD portal. Examine the values in these columns:
    • Review IP address
    • sign-in locations
    • sign-in times
    • sign-in success or failure


If you have any questions, feel free to reach out to for assistance.