Monday, March 12, 2018

Enable mailbox auditing in Exchange Online

Office 365 has the ability to log and audit a lot of actions in your tenant, however much of this logging is not enabled by default but should be by an administrator in my opinion.

Another point to consider is that you have to use Exchange Online PowerShell to enable mailbox audit logging. You can't use the Office 365 Security & Compliance Center or the Exchange admin center (i.e. the web interface).

image

After you have connected to Exchange Online using PowerShell, run the following command to view what audit settings are currently enabled for your mailboxes:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit*

image

That should produce a result as shown above. As you can see the AuditEnabled option is current set to False for all mailboxes per:

By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

which is detailed here:

https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions

So to turn auditing on for all mailboxes execute the following PowerShell commands.

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

If you wish to modify what events are actually audited you can use the following. Note, there is a separate one for administrators, delegates and owners of the mailboxes:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -Auditadmin @{Add="Copy","Create","FolderBind","HardDelete","MessageBind","Move","MoveToDeletedItems","SendAs","SendOnBehalf","SoftDelete","Update","UpdateFolderPermissions"}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditdelegate @{Add="Copy","Create","FolderBind","HardDelete","MessageBind","Move","MoveToDeletedItems","SendAs","SendOnBehalf","SoftDelete","Update","UpdateFolderPermissions"}

Get-Mailbox -ResultSize Unlimited | Set-Mailbox –Auditowner @{Add="Copy","Create","FolderBind","HardDelete","MessageBind","Move","MoveToDeletedItems","SendAs","SendOnBehalf","SoftDelete","Update","UpdateFolderPermissions"}

You’ll find all the details about these commands here:

Set-mailbox = https://technet.microsoft.com/en-us/library/bb123981(v=exchg.160).aspx

image

In true PowerShell tradition, when you execute these commands correctly, you’ll just be returned to the command line as shown above.

image

If we re-examine our mailboxes we now see that auditing is enabled and that more actions are audited as expected.

By default, entries in the mailbox audit log are kept for 90 days. When an entry is older than 90 days, it's deleted. You can use the Set-Mailbox cmdlet to change this setting so items are kept for a longer (or shorter) period of time like so:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditLogAgeLimit 180

which extends the entry limit retention to 180 days.

So, another way to improve the security of your Office 365 tenant is to enable mailbox auditing and extending the properties that are audited. You can only do this with PowerShell but once you have the the script you can re-run it as many times as you like. The power of PowerShell!