Detecting permission changes in Exchange Online mailboxes is important for ensuring security and compliance. If anybody is given permissions over Exchange Online mailboxes, he or she can read, change, delete or move mailbox content to other mailboxes (even ones outside the organization). To secure sensitive mailbox content and prevent data leakage, you will have to monitor mailbox permission changes continuously. In this article, we will show you how to detect mailbox permission changes in Exchange Online in two ways; native auditing and LepideAuditor for Exchange Online.

Enabling Exchange Online Mailbox Auditing Natively

1.1 Connecting to Exchange Server online

Perform the following steps to connect to Exchange Online:

1. Launch Windows PowerShell as an administrator, and run the following command to validate the credentails.

$UserCredential = Get-Credential

“Windows PowerShell Credential Request” dialog box appears. Enter the credentials of an Office 365 Global Admin Account, and click “OK”.

Figure 1: Windows PowerShell Credential Request

2. Run this command in Windows PowerShell to create the session with Outlook of Office 365.

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection

The following screenshot shows the command run in the Windows PowerShell:

Figure 2: Command to create the session with Outlook of Office 365

3. Run the following command.

Import-PSSession $Session

Figure 3: Import PSSession command run

If you run the “Get-Mailbox” command, you will determine whether you are connected to Exchange Online organization, and you will also get your organization's mailboxes list. Run the following command:

Get-Mailbox

The following is the result of “Get-Mailbox” command run.

Figure 4: List of all Office 365 mailboxes
1.2 Enable Online Exchange Server mailbox auditing

Once you have established a connection with the Exchange Online Server, the next step is to enable mailbox audit logging. Run this command:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Figure 5: Enabling mailbox audit logging
1.3 Confirm whether the audit has been enabled or not

Use the “Get-Mailbox” command to check whether you have successfully enabled auditing.

A true value of the AuditEnabled property confirms that you have successfully enabled audit logging. Run the following command:

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin

Figure 6: Office 365 mailboxes audit status
2. View the audit reports in the Office 365 portal

Perform the following steps to view the Office 365 audit reports:

  • Log into the Office 365 portal with an administrative account.
  • Select "Security & Compliance".
  • Go to "Search & Investigation".
  • In the "Activities" dropdown list, scroll down to “Exchange Mailbox Activities”  “Added delegate mailbox permissions” or “Removed delegate mailbox permissions”, as per requirement. In our case, we have selected "Added delegate mailbox permissions".
  • Figure 7: Selecting "Added delegate mailbox permissions" activity
  • Specify a "Start date" and "End date" and click "Search".
  • Figure 8: Search result
  • Click on a record to view complete details.
  • Figure 9: Details of a permission change
Drawbacks of native auditing

The following are the drawbacks of the native auditing.

  • It is complicated to enable auditing through complex Windows PowerShell commands.
  • Lacks the facility to show multiple online audit reports in one console.
  • Reading information from reports is a bit difficult. The "who, what, when, and where" questions of auditing are not answered in a single line record.
  • Filtering, grouping and sorting the reports is not easy.

LepideAuditor – A better way to audit Exchange Online (Office 365)

LepideAuditor for Office 365 (Exchange Online) overcomes the drawbacks of native auditing. Configuring the solution is both simple and fast. The audit settings are easy to apply, and you start viewing audit reports quickly. You can add multiple Exchange Online Servers and view their reports from one console. The predefined reports answer the "who, what, when, and where" audit questions in a single line record. Working with these reports is very easy, as they enable you to filter, group and sort data as required.

The following image shows Exchange Server Online Permission Changes:

Figure 10: All Permission Modifications in Exchange Online

Our Exchange Online audit solution lets you easily find the answer to who, what, when, and where question of mailbox auditing in a single line record. The real-time alerts for permission changes are delivered through email, updates to Radar Tab, and push-notifications to LepideAuditor App.

LepideAuditor makes auditing easier and faster. You can download the free trial to see for yourself.


Download LepideAuditor for Exchange Online

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.