How to Detect Mailbox Permission Changes in Exchange Online

Step 1- Connecting to Exchange Server Online

Perform the following steps to connect to Exchange Online:

1. Launch Windows PowerShell as an administrator, and run the following command to validate the credentails.

   $UserCredential = Get-Credential

   “Windows PowerShell Credential Request” dialog box appears. Enter the credentials of an Office 365 Global Admin Account, and click “OK”.

   

2. Run this command in Windows PowerShell to create the session with Outlook of Office 365

   $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection

   The following screenshot shows the command run in the Windows PowerShell:

   

3. Run the following command

   Import-PSSession $Session

   

   If you run the “Get-Mailbox” command, you will determine whether you are connected to Exchange Online organization, and you will also get your organization’s mailboxes list. Run the following command:

   Get-Mailbox

   The following is the result of “Get-Mailbox” command run

   

Step 2 – Enable Online Exchange Server mailbox auditing

Once you have established a connection with the Exchange Online Server, the next step is to enable mailbox audit logging. Run this command:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Step 3- Confirm whether the audit has been enabled or not

Use the “Get-Mailbox” command to check whether you have successfully enabled auditing.

A true value of the AuditEnabled property confirms that you have successfully enabled audit logging. Run the following command:

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin

Step 4 – View the audit reports in the Office 365 portal

Perform the following steps to view the Office 365 audit reports:

• Log into the Office 365 portal with an administrative account.
• Select “Security & Compliance”.
• Go to “Search & Investigation”.
• In the “Activities” dropdown list, scroll down to “Exchange Mailbox Activities”  “Added delegate mailbox permissions” or “Removed delegate mailbox permissions”, as per requirement. In our case, we have selected “Added delegate mailbox permissions”.

  

• Specify a “Start date” and “End date” and click “Search”.

  

• Click on a record to view complete details.

  

Drawbacks of native auditing

The following are the drawbacks of the native auditing.

• It is complicated to enable auditing through complex Windows PowerShell commands.
• Lacks the facility to show multiple online audit reports in one console.
• Reading information from reports is a bit difficult. The “who, what, when, and where” questions of auditing are not answered in a single line record.
• Filtering, grouping and sorting the reports is not easy.

Lepide Exchange Online Auditor – A better way to audit Exchange Online (Office 365)

Lepide Exchange Online Auditor (part of Lepide Data Security Platform) overcomes the drawbacks of native auditing. Configuring the solution is both simple and fast. The audit settings are easy to apply, and you start viewing audit reports quickly. You can add multiple Exchange Online Servers and view their reports from one console. The predefined reports answer the “who, what, when, and where” audit questions in a single line record. Working with these reports is very easy, as they enable you to filter, group and sort data as required.

The following image shows Exchange Server Online Permission Changes:

Our Exchange Online audit solution lets you easily find the answer to who, what, when, and where question of mailbox auditing in a single line record. The real-time alerts for permission changes are delivered through email, updates to Radar Tab, and push-notifications to Lepide Mobile App.

Lepide Exchange Online Auditor makes auditing easier and faster. You can download the free trial to see for yourself.