This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:
End to End email protection with Microsoft 365 – Part 1
End to End email protection with Microsoft 365 – Part 2
End to End email protection with Microsoft 365 – Part 3
End to End email protection with Microsoft 365 – Part 4
End to End email protection with Microsoft 365 – Part 5
These articles are based on a model I have previously created, which you can read about here:
CIAOPS Cyber protection model
designed to help better explain expansive security included with Microsoft 365.
Email reporting and auditing
It’s now time to look at all the logging that occurs during even the simply process of receiving and viewing an email. For starters there is:
Message trace in the modern Exchange admin center
Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
There is also reporting options like:
Mail flow insights in the Security & Compliance Center
Mail flow reports in the Reports dashboard in Security & Compliance Center
as well as:
Microsoft 365 Reports in the admin center – Email activity
If you want to specifically look at email security there is:
Email security reports in the Security & Compliance Center
as well as:
Defender for Office 365 reports in the Reports dashboard in the Security & Compliance Center
Reports for data loss prevention (DLP)
I have also spoken about the importance of the Unified Audit Logs (UAL) in Microsoft 365:
Enable activity auditing in Office 365
Unified Audit Logs in Microsoft 365
and you need to ensure that these have been enabled so that you can:
View mailbox auditing
Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log.
Here are some benefits of mailbox auditing on by default:
Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.
You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).
When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor add new actions on mailboxes.
You have a consistent mailbox auditing policy across your organization (because you’re auditing the same actions for all mailboxes).
With this auditing enabled you can do things like:
Reporting mailbox logins
Search the Office 365 activity log for failed logins
as well as
Audit Office 365 user logins via PowerShell
Many of the reports that you find in the Microsoft 365 Admin area can be scheduled to be sent via email per:
Scheduling compliance reports
Apart from auditing and security you can also do more typical things like:
Viewing mailbox usage
Viewing Email apps usage
The availability of all this data is covered here:
Reporting and message trace data availability and latency
typically being 90 days.
User reporting and auditing
For information more specifically about user logins into the service and the Identity container, the best place to look is in Azure Active Directory (AD).
What are Azure Active Directory reports?
Find activity reports in the Azure portal
Azure Active Directory sign-in activity reports – preview
Audit activity reports in the Azure Active Directory portal
and if you want use PowerShell
Azure AD PowerShell cmdlets for reporting
Device reporting and auditing
There are lots of options when it comes to monitoring and reporting on devices. Apart from what is offered locally you also have:
Create diagnostic settings to send platform logs and metrics to different destinations
Manage devices with endpoint security in Microsoft Intune
You can even get telemetry data and analytics reports from your desktop applications via:
Windows Desktop Application Program
Aggregated data reporting and monitoring
As you can see with all the options above, it is easy to get to information overload trying to keep up with all those signals. Luckily Microsoft provides a range of services to aggregate all this for you to make monitoring and report easier.
The first is Microsoft Cloud App Security services:
Cloud App Discovery/Security
Microsoft Cloud App Security overview
Microsoft Cloud App Security data security and privacy
There are plenty of reasons why you really should have Microsoft Cloud App Security in your environment:
A great security add on for Microsoft 365
Office 365 Cloud App Discovery
Next, is Microsoft Defender for Endpoint that will aggregate security and threat information for devices in your environment and make it available in a single console.
Overview of Microsoft Defender Security Center
Microsoft Defender Security Center portal overview
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint evaluation lab
Finally for me, there is Azure Sentinel, which I see as really the ultimate hub for event reporting, monitoring and alrtign across the whole service.
Another great security add on for Microsoft 365
Introduction to Azure Sentinel
Azure Sentinel is a service that growing in features rapidly:
A couple of new additions to Azure Sentinel
Stay ahead of threats with new innovations from Azure Sentinel
Hopefully, all this gives you some insight into all the auditing and usage data that Microsoft 365 captures during any interaction within the service. One of the biggest benefits is also how this information is integrated between services, especially those that aggregate information lime Microsoft Cloud App Security and Azure Sentinel. This means you don’t have to crawl through individual log entries, you can use a dashboard and drill down from there. I also like the fact that all of these services and data are accessible using a scripting tool like PowerShell if you want to automate this further.
Remember, throughout this six part series I’ve just looked at what happens when a single email is delivered and view with Microsoft 365. If you expand that out to all the services and capabilities that Microsoft 365 provides you can hopefully get a better appreciate of the protection it provides in place for your data on many different levels.
The call to action for readers is to go away and implement all the security features that Microsoft 365 provides. This may of course vary by the license that you have. You should then consider what additional security offerings the Microsoft cloud stack can offer that makes sense for your business, then implement those. Remember, security is not a destination, it is journey.