Detecting permission changes in Exchange Online mailboxes is important for ensuring security and compliance. If anybody is given permissions over Exchange Online mailboxes, he or she can read, change, delete or move mailbox content to other mailboxes (even ones outside the organization). To secure sensitive mailbox content and prevent data leakage, you will have to monitor mailbox permission changes continuously. In this article, we will show you how to detect mailbox permission changes in Exchange Online in two ways; native auditing and Lepide Exchange Online Auditor.
Step 1- Connecting to Exchange Server Online
Perform the following steps to connect to Exchange Online:
- Launch Windows PowerShell as an administrator, and run the following command to validate the credentails.
$UserCredential = Get-Credential
“Windows PowerShell Credential Request” dialog box appears. Enter the credentials of an Office 365 Global Admin Account, and click “OK”.
- Run this command in Windows PowerShell to create the session with Outlook of Office 365
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection
The following screenshot shows the command run in the Windows PowerShell:
- Run the following command
Import-PSSession $Session
If you run the “Get-Mailbox” command, you will determine whether you are connected to Exchange Online organization, and you will also get your organization’s mailboxes list. Run the following command:
Get-Mailbox
The following is the result of “Get-Mailbox” command run
Step 2 – Enable Online Exchange Server mailbox auditing
Once you have established a connection with the Exchange Online Server, the next step is to enable mailbox audit logging. Run this command:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Step 3- Confirm whether the audit has been enabled or not
Use the “Get-Mailbox” command to check whether you have successfully enabled auditing.
A true value of the AuditEnabled property confirms that you have successfully enabled audit logging. Run the following command:
Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin
Step 4 – View the audit reports in the Office 365 portal
Perform the following steps to view the Office 365 audit reports:
- Log into the Office 365 portal with an administrative account.
- Select “Security & Compliance”.
- Go to “Search & Investigation”.
- In the “Activities” dropdown list, scroll down to “Exchange Mailbox Activities” “Added delegate mailbox permissions” or “Removed delegate mailbox permissions”, as per requirement. In our case, we have selected “Added delegate mailbox permissions”.
- Specify a “Start date” and “End date” and click “Search”.
- Click on a record to view complete details.
Drawbacks of native auditing
The following are the drawbacks of the native auditing.
- It is complicated to enable auditing through complex Windows PowerShell commands.
- Lacks the facility to show multiple online audit reports in one console.
- Reading information from reports is a bit difficult. The “who, what, when, and where” questions of auditing are not answered in a single line record.
- Filtering, grouping and sorting the reports is not easy.
Lepide Exchange Online Auditor – A better way to audit Exchange Online (Office 365)
Lepide Exchange Online Auditor (part of Lepide Data Security Platform) overcomes the drawbacks of native auditing. Configuring the solution is both simple and fast. The audit settings are easy to apply, and you start viewing audit reports quickly. You can add multiple Exchange Online Servers and view their reports from one console. The predefined reports answer the “who, what, when, and where” audit questions in a single line record. Working with these reports is very easy, as they enable you to filter, group and sort data as required.
The following image shows Exchange Server Online Permission Changes:
Our Exchange Online audit solution lets you easily find the answer to who, what, when, and where question of mailbox auditing in a single line record. The real-time alerts for permission changes are delivered through email, updates to Radar Tab, and push-notifications to Lepide Mobile App.
Lepide Exchange Online Auditor makes auditing easier and faster. You can download the free trial to see for yourself.