Why It Is Important to Keep an Eye on Your Office 365 Administrators

Jason Coggins by   07.13.2018   Auditing

It may not surprise you to learn that user error is one of the biggest risks to your IT security that you can face. In particular, careless or malicious administrators can have a disastrous effect on the integrity of your systems and data. Whether you are an enterprise organization with a team of admins, or a small business with just one, it’s important that you know exactly what they are up to and what changes they are making.

The Danger of Trust

As an Office 365 administrator, it’s more than likely that you monitor the ways in which your users are interacting with this platform – as you know the potential risks badly structured security policies and configurations and the risks of excessive privilege. Why do you do this? It’s not because you don’t trust your users to be responsible with their privileges, it’s just good practice.

The same kind of attention needs to be placed on monitoring the activities of your Admins. Trust is not a security policy. Rogue admins, or careless admins have far more ability to damage your organization than anyone else. Whether you trust them with this level of responsibility or not, monitoring their activities is simply good practice.

How Do You Get Started?

Well, firstly you need to sort out your admin roles in Office 365. If you’re a small business, it’s likely that you won’t need to split roles out between different admins as they can be controlled by a single Global Administrator. If, however, your organization is a bit larger, you can split the workload between eight different roles.

  • Global Admin
  • Billing Admin
  • Password Admin
  • Service Admin
  • User Management Admin
  • Exchange Admin
  • SharePoint Admin
  • Skype for Business Admin

You do not have to assign all of these roles to different people, it depends on your organization. If you do choose to spread these responsibilities out, be very careful about the people you pick to take up the roles. You should choose not only people that you trust but people that know the responsibility of an admin position and the best practices for being secure. They should know how to make changes to the Office 365 environment safely in order to minimize the risk of data breach incidents.

A Use Case

Imagine the following scenario.

One of your admins has gone into your Office 365 environments and accidentally deleted a large number of user accounts. This person realized the mistake they made and reversed the change, bringing the user accounts back. However, you have received numerous complaints that valuable data has been lost in the process. What do you do?

Clearly, this incident warrants investigation and action so that it doesn’t happen again. But where do you start?

Thankfully, there are a number of ways that you can monitor what your Office 365 admins are up to. One is by using the Audit Log Search function in the Office 365 Security and Compliance Center. From this function, you can view a list of all the activities your admins have made in Office 365, so it is the perfect place to begin your investigation.

The Audit Log Search contains information on almost every change or activity in your environment that you can imagine. The powerful searching and filtering functionality also makes investigations fairly simple. The only thing you have to be wary of is the sheer number of available events to choose from. Just make sure you have it clear in your head what you are looking for before you begin your search.

The Limitations of Office 365 Audit Logs

There are a number of reasons why using native auditing when it comes to monitoring your Office 365 users isn’t the best method, despite its seemingly powerful auditing features.

Firstly, Audit Logging isn’t automatically running in the background of your Office 365 environment – with the one exception being Exchange Online. You will need to go into the Office 365 Security and Compliance Center and activate it manually. The problem with this is that if you experience an incident that highlights the need for enabling Audit Logging, you won’t be able to investigate that incident as the audit logs won’t exist.

Secondly, as mentioned above, there is a huge volume of raw event logs that you will have to sift through in order to get to the key information you need. With no easy way of separating the key information from the noise, it can take a lot of time, care and attention to draw anything meaningful from the Audit Log Search.

Thirdly, even if you enabled Audit Logging years ago, the audit logs are only stored for 90 days. A large proportion of data breaches are not identified immediately, in some cases going unnoticed for years. If you’re having to rely on Audit Logging to investigate incidents like this, you’re in trouble, as the audit logs simply won’t miss.

Fourthly, it can be very difficult to isolate the action your admins are taking in the Security and Compliance Center, as the Audit Logging diligently records all the activities in your Office 365 environment, regardless of whether it was a user or an admin that was involved. The filtering capabilities of The Audit Log Search do not give you an easy way to separate out user and admin, all adding to the time it would take you to investigate an incident.

A Better Way to Audit Office 365 Changes

There is a way to overcome these limitations, and it may not be as expensive, complex or difficult to deploy as you would think. Office 365 auditing solutions, like LepideAuditor, enable you to easily see what changes your admins are making in your Office 365 environment; including changes to privileged users/groups, configurations and permissions.

Once deployed, LepideAuditor runs continuously in the background, collecting and storing change information for much longer than the 90-day cut-off you get with native auditing. What’s more, the searching, sorting and filtering capabilities are far superior, allowing you to see exactly what activities your admins have been up to. Reports and can be delivered periodically and alerts received in real time to ensure that data breach incidents do not go unnoticed for long periods of time.

If you want to see more about how LepideAuditor can help you monitor your Office 365 admins, click here.

Do you like this blog post?

Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.