How to Detect Mailbox Permission Changes in Exchange Online

Download Lepide Exchange Online Auditor
Or Deploy With Our Virtual Appliance
In This Article

Detecting permission changes in Exchange Online mailboxes is important for ensuring security and compliance. If anybody is given permissions over Exchange Online mailboxes, he or she can read, change, delete or move mailbox content to other mailboxes (even ones outside the organization). To secure sensitive mailbox content and prevent data leakage, you will have to monitor mailbox permission changes continuously. In this article, we will show you how to detect mailbox permission changes in Exchange Online in two ways; native auditing and Lepide Exchange Online Auditor.

Step 1- Connecting to Exchange Server Online

Perform the following steps to connect to Exchange Online:

  1. Launch Windows PowerShell as an administrator, and run the following command to validate the credentails.
    $UserCredential = Get-Credential

    “Windows PowerShell Credential Request” dialog box appears. Enter the credentials of an Office 365 Global Admin Account, and click “OK”.

    Windows PowerShell Credential Request
    Figure 1: Windows PowerShell Credential Request
  2. Run this command in Windows PowerShell to create the session with Outlook of Office 365
    $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri -Credential $UserCredential –Authentication Basic –AllowRedirection

    The following screenshot shows the command run in the Windows PowerShell:

    Command to create the session
    Figure 2: Command to create the session with Outlook of Office 365
  3. Run the following command
    Import-PSSession $Session
    Import PSSession command run
    Figure 3: Import PSSession command run

    If you run the “Get-Mailbox” command, you will determine whether you are connected to Exchange Online organization, and you will also get your organization’s mailboxes list. Run the following command:


    The following is the result of “Get-Mailbox” command run

    List of all Office 365 mailboxes
    Figure 4: List of all Office 365 mailboxes

Step 2 – Enable Online Exchange Server mailbox auditing

Once you have established a connection with the Exchange Online Server, the next step is to enable mailbox audit logging. Run this command:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Enabling mailbox audit logging
Figure 5: Enabling mailbox audit logging

Step 3- Confirm whether the audit has been enabled or not

Use the “Get-Mailbox” command to check whether you have successfully enabled auditing.

A true value of the AuditEnabled property confirms that you have successfully enabled audit logging. Run the following command:

Get-mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin
Office 365 mailboxes audit status
Figure 6: Office 365 mailboxes audit status

Step 4 – View the audit reports in the Office 365 portal

Perform the following steps to view the Office 365 audit reports:

  • Log into the Office 365 portal with an administrative account.
  • Select “Security & Compliance”.
  • Go to “Search & Investigation”.
  • In the “Activities” dropdown list, scroll down to “Exchange Mailbox Activities”  “Added delegate mailbox permissions” or “Removed delegate mailbox permissions”, as per requirement. In our case, we have selected “Added delegate mailbox permissions”.
    Added delegate mailbox permissions
    Figure 7: Selecting “Added delegate mailbox permissions” activity
  • Specify a “Start date” and “End date” and click “Search”.
    Search result
    Figure 8: Search result
  • Click on a record to view complete details.
    details of a permission change
    Figure 9: Details of a permission change

Drawbacks of native auditing

The following are the drawbacks of the native auditing.

  • It is complicated to enable auditing through complex Windows PowerShell commands.
  • Lacks the facility to show multiple online audit reports in one console.
  • Reading information from reports is a bit difficult. The “who, what, when, and where” questions of auditing are not answered in a single line record.
  • Filtering, grouping and sorting the reports is not easy.

Lepide Exchange Online Auditor – A better way to audit Exchange Online (Office 365)

Lepide Exchange Online Auditor (part of Lepide Data Security Platform) overcomes the drawbacks of native auditing. Configuring the solution is both simple and fast. The audit settings are easy to apply, and you start viewing audit reports quickly. You can add multiple Exchange Online Servers and view their reports from one console. The predefined reports answer the “who, what, when, and where” audit questions in a single line record. Working with these reports is very easy, as they enable you to filter, group and sort data as required.

The following image shows Exchange Server Online Permission Changes:

Permission Modifications in Exchange Online
Figure 10: All Permission Modifications in Exchange Online

Our Exchange Online audit solution lets you easily find the answer to who, what, when, and where question of mailbox auditing in a single line record. The real-time alerts for permission changes are delivered through email, updates to Radar Tab, and push-notifications to Lepide Mobile App.

Lepide Exchange Online Auditor makes auditing easier and faster. You can download the free trial to see for yourself.

Download Lepide Exchange Online Auditor

Or Deploy With Our Virtual Appliance