How to Audit Exchange Online Activity

Danny Murphy by Updated On - 10.05.2021   Auditing

As the inevitable shift from self-hosted to cloud-based IT environments continues, Microsoft Office 365 products, such as Exchange Online, are becoming increasingly more valuable to enterprises across the globe.

Exchange Online is quickly becoming the go-to solution for managing emails, calendars and contacts, to help your employees communicate and collaborate in a secure manner.

There are, however, understandable security concerns relating to storing sensitive data in the cloud, as you are still having to trust a third-party with your data. And let’s not forget, most data breaches are still caused by our own employees, one way or another.

Since the traditional moat-castle approach to protecting sensitive data is becoming increasingly less relevant, companies are adopting a more data-centric approach, which involves monitoring and reporting on potentially anomalous user activity.

How to Enable Auditing for Mailbox Online

Up until fairly recently, administrators were required to enable mailbox auditing for each user in the organization. As of January 2019, mailbox auditing in Exchange Online is enabled by default.

How to Audit Exchange Online Activities

Exchange Online provides auditing capabilities for both the administrator and mailbox account activity. It allows you to monitor a wide range of activities including the service status, storage and mailbox access and usage. The built-in auditing tools also enable you to keep track of any configuration issues you might have.

1- Auditing Exchange Online with the Exchange Admin Center

Within Exchange Online you can use the Exchange Admin Center to view reports that provide a full list of all actions performed by both administrators and regular users. You can find these reports under Compliance management -> Auditing. Exchange Online reports are generally more detailed than the Office 365 reports, although it helps if you know what kind of events you’re looking for in advance. You can view all configuration changes made by admins, changes made to In-Place eDiscovery, In-Place Holds, as well as keep track of unauthorized mailbox access.

2- Auditing Exchange Online with the Microsoft 365 Compliance Center

Reports for user activity and admin activity (Exchange admin audit logging) can be generated in the Microsoft 365 Compliance Center.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log. To access the audit reports available in the Microsoft 365 Compliance Center, navigate to Office 365 security & compliance center and then you will see options for alerts, reports, and more.

The Drawbacks of Native Auditing for Exchange Online

While the Office 365 reporting console (found in the Security and Compliance Center) is able to provide enough information to help you keep track of important changes, it’s not without its downsides.

For example, it’s not particularly user friendly and the sorting/searching options are not as good as most third-party Exchange Online auditing solutions. The audit logs will show all events made to your Office 365 implementation, which means that you will need to know what events you are looking for in advance. Searching the audit log can also take huge amounts of time to return data. The Exchange Online reporting console, on the other hand, provides more advanced filtering options, although the reports can still be difficult to read.

Another downside of the Exchange Online audit logs is that they can only be retained for a limited amount of time. For those with a non-E5 license, the logs can only be retained for 90 days, whereas those who have an E5 license can retain the logs up to a year.

In most cases, this should suffice, however, some data breaches can occur months (sometimes years) before they are identified. In which case, a failure to conduct a complete forensic analysis of a breach that occurred beyond this retention period could mean failing to comply with the relevant data privacy regulations.

How Lepide Helps with Exchange Online Auditing

Lepide gives organizations more visibility into how their Office 365 data is being accessed, shared, modified or removed. Where Exchange Online auditing is concerned, the Lepide Data Security Platform can analyze permission changes and permissions to mailboxes, to help ensure that you are maintaining zero trust.

It provides detailed and intuitive pre-defined reports that cover a wide range of data protection regulations, such as GDPR, HIPAA, PCI, SOX, and more. The reports are easily searchable and cover all configuration and permission changes in Exchange Online, including changes to mailboxes, eDiscovery, Remote domain lists, Unified Messaging and policies.

To see how Lepide can help you audit Exchange Online, schedule a demo with one of our engineers or start your free trial today.

Comments are closed.