OMEPortal

Microsoft Purview Message Encryption is a service that allows organizations to send encrypted mail to any recipients.

OMEPortal is a type of event that is recorded in the Office 365 Unified Audit Log. It represents any activity to access an encrypted message by an external recipient using the encrypted message portal. This event is useful to determine when and who accessed the portal.

  • authenticate
  • open message
  • view attachment
  • download attachment
  • reply/forward message

Access the Office 365 Unified Audit Log

The audit logs can be accessed using the following methods.

Audit log search tool

  1. Go to the Microsoft Purview compliance portal and sign in.

  2. In the left pane of the compliance portal, select Audit.

    Note

    If you don't see Audit in the left pane, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance for information about permissions.

  3. On the New Search tab, set Record type to OMEPortal and configure the other parameters. Audit dialog showing new search options

For more information on viewing the audit logs in the Microsoft Purview compliance portal, see Audit log activities.

Search Unified Audit Log in PowerShell

To access the Unified Audit Log using PowerShell, first open a PowerShell window and connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell.

Search-UnifiedAuditLog cmdlet

The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see Best Practices for using Search-UnifiedAuditLog.

To extract the OMEPortal events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "OMEPortal". The results will be exported to a CSV file at the specified path.

Search-UnifiedAuditLog -RecordType OMEPortal -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) | Export-Csv -Path <output file> 

The following is an example of OMEPortal event from PowerShell, with opening message in the encrypted message portal activity.


RecordType   : OMEPortal 

CreationDate : 3/22/2023 7:00:59 PM 

UserIds      : [email protected] 

Operations   : MessageAccess 

AuditData    : {"CreationTime":"2023-03-22T19:00:59","Id":"a3500d45-6ab3-4971-a762-a01a846015d0","Operation":"MessageAccess","OrganizationId":"84b06764-3e5e-4f51-9a78-046a7f38b59b","RecordType":154,"ResultStatus":"Success","UserKey":"[email protected]","UserType":0,"Version":1,"Workload":"Exchange","UserId":"[email protected]","AuthenticationMethod":"Google","AuthenticationStatus":0,"MessageId":"<MW5PR18MB5094602B59DFEC335A3C5E58AA869@MW5PR18MB5094.namprd18.prod.outlook.com>","OperationProperties":[{"Name":"MailSubject","Value":"Support case 1234567"}],"OperationStatus":0,"Recipient":"[email protected]","Sender":"[email protected]"} 

ResultIndex  : 6 

ResultCount  : 7 

Identity     : a3500d45-6ab3-4971-a762-a01a846015d0 

IsValid      : True 

ObjectState  : Unchanged 

Use the following command to specifically search for the scenario in which user views an attachment. An example of the result of the PowerShell cmdlet is also shown below.

Search-UnifiedAuditLog -Operations AttachmentReview -RecordType OMEPortal -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date)

The following is an example of AipSensitivityLabelAction event from PowerShell, with sensitivity label updated.


RecordType   : OMEPortal 

CreationDate : 3/22/2023 7:04:09 PM 

UserIds      : [email protected] 

Operations   : AttachmentReview 

AuditData    : {"CreationTime":"2023-03-22T19:04:09","Id":"ef29c387-c81b-4812-9020-90b378d92cde","Operation":"AttachmentReview","OrganizationId":"84b06764-3e5e-4f51-9a78-046a7f38b59b","RecordType":154,"ResultStatus":"Failure","UserKey":"[email protected]","UserType":0,"Version":1,"Workload":"Exchange","UserId":"[email protected]","AttachmentName":"Form.docx","AuthenticationMethod":"OTP","AuthenticationStatus":0,"MessageId":"<MW5PR18MB5094CD4A4C6D8A5636154FEBAA869@MW5PR18MB5094.namprd18.prod.outlook.com>","OperationProperties":[{"Name":"MailSubject","Value":"Support case 987654"}],"OperationStatus":1,"Recipient":"[email protected]","Sender":"[email protected]"} 

ResultIndex  : 4 

ResultCount  : 7 

Identity     : ef29c387-c81b-4812-9020-90b378d92cde 

IsValid      : True 

ObjectState  : Unchanged 

The other operations that can be specifically searched for within OMEPortal include AttachmentDownload, AuthenticationRequest, MessageAccess, and MessageForward.

Attributes of the OMEPortal event

The following table contains information related to OMEPortal events.

Event Type Description
Activity String The activity type for the audit log. For OMEPortal, operations can include:
- AttachmentDownload
- AttachmentReview
- AuthenticateRequest
- MessageAccess
- MessageForward
AttachmentName String Part of AuditData.
The name of the attachment in the message.
AuditData String The log details on the OMEPortal activity.
AuthenticationMethod String Part of AuditData.
The type of authentication used to login to portal. Values are:
- OTP
- Google
- Yahoo
- Microsoft
AuthenticationStatus Double The status of the authentication.
0 = success
1= failure
CreationTime Date/time The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
Id GUID Unique identifier of an audit record.
MessageId String The message ID.
Operation String Same value as activity.
OperationProperties String Part of AuditData.
Contains the email subject.
Recipient String Part of AuditData.
The email address of user accessing the message in the encrypted message portal.
RecordType Double The type of operation indicated by the record. 154 represents an OMEPortal record.
ResultsStatus String Operation was either successful or a failure.
Sender String Part of AuditData.
The email address of user that sent the encrypted message.
Workload String Exchange to indicate email in the encrypted message portal.
UserId String The User Principal Name (UPN) of the user in your organization who sent the encrypted mail the action that resulted in the record being logged.