Sponsored byHow to Audit Privileged Operations and Mailbox Access in Office 365

Exchange Online

© 2016 Monterey Technology Group Inc.

Thanks to

Made possible by

Preview of key points

Types of activity to audit in Exchange Online Message tracking Privileged access (admin) Non-owner Mailbox access

Using PowerShell to manage auditing in Exchange Online

Exchange Online

Run PowerShell as Admin Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName

Microsoft.Exchange -ConnectionUrihttps://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Message tracking

Message flow

Who is emailing who?

Get-MessageTrace

https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/message-trace-the-powershell-way/

http://o365info.com/performing-an-extended-message-trace-in-office-365/

Admin operations

Exporting mailboxes

Granting permissions

Setting up forwarding rules

Everything an admin does in Exchange is ultimately a PowerShell command

Exchange audit’s admin activity at the PowerShell level

Enable for entire organization with Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -

AdminAuditLogCmdlets * -AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*

Admin operations

Log via PowerShell Interactive: Search-AdminAuditLog

Not details

Wait for email: New-AdminAuditLogSearch Limited in result size

Log via Portal Limited to pre-conceived search scenarios Limited in result size

Non-Owner Mailbox Auditing

When does Bob access Alice’s mailbox to View her email Send email as her Delete email

Track that with mailbox auditing

Must enable via PowerShell for each mailbox Set-Mailbox -Identity "John Smith" -AuditDelegate

SendAs,SendOnBehalf,MessageBind,FolderBind-AuditEnabled $true

Non-Owner Mailbox Auditing

Action Administrator Delegate Owner Copy • n/a n/a

Create • • •

FolderBind • • •

HardDelete • • •

MessageBind • n/a n/a

Move • • •MoveToDeletedItems

• • •

SendAs • • n/a

SendOnBehalf • • n/a

SoftDelete • • •

Update • • •

Non-Owner Mailbox Auditing

Don’t enable –AuditOwner

Don’t distinguish between –AuditDelegate and –AuditAdmin Always enable both Most things an admin does are logged as delegate

Bogus events being triggered by some automated process? Set-MailboxAuditBypassAssociation

Non-Owner Mailbox Auditing

How to get mailbox audit logs out?

This is complicated

Non-Owner Mailbox Auditing

How to get mailbox audit logs out?

Does not meet requirements Search-MailboxAuditLog

The old way New-SearchMailboxAuditLog

No longer works on Exchange 2016 or Exchange Online because of severe limitations

Examples

Non-Owner Mailbox Auditing

Portal Only useful for casual, targeted querying of recent activity Can’t search users

What does work? O365 Management Activity API Requires significant application programming Check out Quest Change Auditor coming up

Bottom line

Office 365 captures the audit data

If you have a specific case you want to research, you can probably find the activity using the online portal

If you want enterprise logging for compliance and security Long term archival Powerful, comprehensive search Alerting Correlation with other activity feeds

You need more than base functionality

Checkout Quest ChangeAuditor

© 2016 Monterey Technology Group Inc.

Change Auditor – Office 365 ExchangeBryan Patton, CISSP

Confidential16

Change Auditor

• Active Directory / LDS• Azure Active Directory• Active Directory Queries• Logon, Logoff, User Sessions

• Exchange• O365 Exchange Online• SQL Server• SharePoint• Skype for Business

• Windows File Servers• EMC Celerra, Isilon • NetApp• Dell Fluid File System

• Quest GPOADmin• Quest Active Roles• Quest Authentication

Services• Quest Defender

Object protection

Confidential17

• Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes

Change Auditor

WhoMade the change?

WhereWas the change made from?

WhatObject was changed?

WhenWas the change made?

WhyWas the change made (comment)?

WorkstationWhere the change originated from

Real-time smart alerts

to any device

Demonstration

Questions?

www.quest.com/change-auditor