Upcoming Webinar - Learn How to Be Cyber-Smart for This Year's Cybersecurity Awareness Month Register Now

How to Detect Mailbox Permission Changes in Exchange Online

by Josh Van Cott

Detecting permission changes in Exchange Online mailboxes is important for ensuring security and compliance. If anybody is given permissions over Exchange Online mailboxes, he or she can read, change, delete or move mailbox content to other mailboxes (even ones outside the organization). To secure sensitive mailbox content and prevent data leakage, you will have to monitor mailbox permission changes continuously. In this article, we will show you how to detect mailbox permission changes in Exchange Online in two ways; native auditing and Lepide Exchange Online Auditor.

 

Enabling Exchange Online Mailbox Auditing Natively

 

Connecting to Exchange Server online

Perform the following steps to connect to Exchange Online:

  1. Launch Windows PowerShell as an administrator, and run the following command to validate the credentails.

     

    $UserCredential = Get-Credential

    “Windows PowerShell Credential Request” dialog box appears. Enter the credentials of an Office 365 Global Admin Account, and click “OK”.

    Figure 1: Windows PowerShell Credential Request
  2. Run this command in Windows PowerShell to create the session with Outlook of Office 365

     

    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection

    The following screenshot shows the command run in the Windows PowerShell:

    Figure 2: Command to create the session with Outlook of Office 365
  3. Run the following command

     

    Import-PSSession $Session
    Figure 3: Import PSSession command run

    If you run the “Get-Mailbox” command, you will determine whether you are connected to Exchange Online organization, and you will also get your organization’s mailboxes list. Run the following command:

     

    Get-Mailbox

    The following is the result of “Get-Mailbox” command run

    Figure 4: List of all Office 365 mailboxes

Enable Online Exchange Server mailbox auditing

Once you have established a connection with the Exchange Online Server, the next step is to enable mailbox audit logging. Run this command:

 

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Figure 5: Enabling mailbox audit logging

Confirm whether the audit has been enabled or not

Use the “Get-Mailbox” command to check whether you have successfully enabled auditing.

A true value of the AuditEnabled property confirms that you have successfully enabled audit logging. Run the following command:

 

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin
Figure 6: Office 365 mailboxes audit status

View the audit reports in the Office 365 portal

Perform the following steps to view the Office 365 audit reports:

  • Log into the Office 365 portal with an administrative account.
  • Select “Security & Compliance”.
  • Go to “Search & Investigation”.
  • In the “Activities” dropdown list, scroll down to “Exchange Mailbox Activities”  “Added delegate mailbox permissions” or “Removed delegate mailbox permissions”, as per requirement. In our case, we have selected “Added delegate mailbox permissions”.
    Figure 7: Selecting “Added delegate mailbox permissions” activity
  • Specify a “Start date” and “End date” and click “Search”.
    Figure 8: Search result
  • Click on a record to view complete details.
    Figure 9: Details of a permission change

Drawbacks of native auditing

The following are the drawbacks of the native auditing.

  • It is complicated to enable auditing through complex Windows PowerShell commands.
  • Lacks the facility to show multiple online audit reports in one console.
  • Reading information from reports is a bit difficult. The “who, what, when, and where” questions of auditing are not answered in a single line record.
  • Filtering, grouping and sorting the reports is not easy.

Lepide Exchange Online Auditor – A better way to audit Exchange Online (Office 365)

Lepide Exchange Online Auditor (part of Lepide Data Security Platform) overcomes the drawbacks of native auditing. Configuring the solution is both simple and fast. The audit settings are easy to apply, and you start viewing audit reports quickly. You can add multiple Exchange Online Servers and view their reports from one console. The predefined reports answer the “who, what, when, and where” audit questions in a single line record. Working with these reports is very easy, as they enable you to filter, group and sort data as required.

The following image shows Exchange Server Online Permission Changes:

Figure 10: All Permission Modifications in Exchange Online

Our Exchange Online audit solution lets you easily find the answer to who, what, when, and where question of mailbox auditing in a single line record. The real-time alerts for permission changes are delivered through email, updates to Radar Tab, and push-notifications to Lepide Mobile App.

Lepide Exchange Online Auditor makes auditing easier and faster. You can download the free trial to see for yourself.
Download Lepide Exchange Online Auditor