How do you find when a transport rule was created?

How to find when a transport rule was created? Use Audit Logs

Learning how to find when a transport rule was created helps administrators maintain security and accountability within organization email systems. Understanding these tracking methods prevents unauthorized changes and ensures that all mail flow modifications remain documented. Follow these steps to locate the necessary audit information efficiently.

Finding the Birth Certificate of a Transport Rule

To find when a transport rule was created, you must look beyond the standard Exchange admin interface and query the Microsoft Purview Audit log, which records the specific moment an administrator executes the creation command. While the basic rule properties often show when a rule was last modified, the original creation timestamp is buried within the unified audit logs - assuming the event occurred within your organizations data retention window.

Default retention for audit logs in standard Microsoft 365 licenses is 90 days, while E5 licenses extend this period to up to one year. If the rule was created within this window, the creation event is available and typically appears in search results within 60 to 90 minutes of the event occurring.^[2] However, if audit logging was not enabled at the time of creation, the event will not be recorded.

Method 1: Using the Microsoft Purview Compliance Portal

For those who prefer a visual interface, the Microsoft Purview portal (compliance.microsoft.com) is your primary tool for forensic discovery. This method is generally easier for a quick one-off check, though it can feel a bit sluggish when processing large date ranges.

Follow these steps to locate the creation event: 1. Sign in to the Microsoft Purview portal and navigate to Solutions then Audit. 2. Set your date range. If you have no idea when the rule was made, start with the maximum allowed range (usually 90 days for standard accounts). 3. In the Activities field, search for New-TransportRule. This is the specific operation triggered when a rule is first saved. 4. Run the search and wait for the results to populate. This can take a few minutes if your tenant is busy.

Lets be honest: the Purview interface can be frustratingly slow. I once spent 20 minutes waiting for a search to finish only to realize I had the wrong date range. If the GUI feels like it is crawling, do not panic. It is just the nature of querying millions of tenant events. Once the results appear, click on the entry to see the exact timestamp and the identity of the administrator who created the rule.

Method 2: PowerShell (The Power User's Shortcut)

If you are comfortable with a terminal, PowerShell is significantly more efficient for searching audit logs, especially when you need to filter through thousands of administrative actions. Using the Unified Audit Log cmdlet allows you to bypass the browsers overhead and get raw data in seconds.

First, connect to Exchange Online PowerShell. Then use this command to find rule creation events: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -Operations New-TransportRule

This command returns creation events within your specified window. Note that Get-TransportRule does not reliably return the WhenCreated property in Exchange Online; the audit log is the authoritative source for rule creation timestamps and the associated administrator identity.

Why You Cannot Find Older Rules

The biggest roadblock in this process is the retention window. In most standard Microsoft 365 licenses, unified audit logs are retained for 90 days, while E5 licenses can extend retention to up to one year. If a rule was created outside of your tenant’s audit retention period, the creation event is no longer available. For example, if a rule was created during a migration several years ago, that original audit record cannot be retrieved.

In my experience, the breakthrough comes when you stop looking for the creation log and start looking for the oldest Set-TransportRule event. Sometimes an older rule was modified more recently than it was created, and those modification logs might still be within your 90-day window. It is a messy workaround, but when you are desperate for a lead, any log is better than none. Rarely have I seen a tenant where every single rule was documented perfectly outside of these logs.

GUI vs. PowerShell for Audit Discovery

Both tools access the same data pool, but the experience and speed vary significantly depending on your technical comfort and the complexity of the search.

Microsoft Purview (GUI)

• Basic - Limited to the filters provided in the sidebar

• Quickly checking a single rule when you have a rough idea of the date

• High - No coding required, uses familiar web menus

• Slow - Can take minutes to load and filter results

⭐ Exchange Online PowerShell

• Advanced - Can pipe results to Sort-Object or Where-Object for deep analysis

• Searching large date ranges or automating compliance reports

• Moderate - Requires cmdlet knowledge and connection setup

• Fast - Direct query execution with minimal interface lag

Hùng's Hunt for the Mystery Redirect

Hùng, an IT lead at a growing logistics company in Da Nang, noticed a strange mail redirect rule sending sensitive invoices to an unknown external address. He needed to know who created it and when, but the standard Exchange Admin Center only showed the last time it was modified.

First attempt: He ran Get-TransportRule to retrieve the rule properties. Result: The WhenCreated field was empty, leaving him unable to trace the origin of a potential security breach.

The breakthrough came when he realized he needed to query the Unified Audit Log specifically for the 'New-TransportRule' operation. He had to adjust his search window twice because he initially looked back only 30 days.

By expanding the search to 75 days, he found the event. A former contractor had created it 62 days prior. Hùng disabled the account and used the timestamp to audit all other actions by that user within the same hour.