Office 365 Mailbox Auditing Enabled by Default

Introduction

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on, this statement was true until Microsoft announced to enable Office 365 mailbox auditing by default for all mailboxes. This announcement is based on customer feedback to Microsoft to help improve the security of the services within Office 365. With mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is on, some actions performed by administrators, delegates, and owners are logged by default.

Why Mailbox Auditing is Important?

Because mailboxes can contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it’s important for you to keep track who logs on to the mailboxes in your organization and what actions are taken by the users or authorized personnel when they were given access to corporate information. It’s especially important to track access to mailboxes by delegate users.

Mailbox audit logging is important for any organization as it log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators.

Audit log entries include important information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.

To improve security tooling available to customers to ensure customers have access to important audit data so they can investigate security incidents when needed, Microsoft is setting up the mailbox auditing enabled in Office 365 for every new mailbox.

Enabling this feature by default addresses a pain point with the current mailbox audit administration, Exchange administrators must configure the AuditEnabled setting on each mailbox to be audited after its created; certainly for bigger customers this is a very tedious task. This feature allows all of this to be done automatically tenant-wide. Any kind of mailbox event will be stored on the users mailboxes automatically without having to have user input.

Microsoft plan to roll this out in the next few months. This will not require any user/admin input, Microsoft will do all of the work in the background.

What is Included with Auditing?

Mailbox auditing for owner actions includes important scenarios to investigating compromised email accounts such as:

  • Mailbox Login events that record events with client access to user mailbox.
  • Mail actions to create and edit messages in any folders, delete actions to include moving a message to the Deleted Items folder or permanently removing messages.
  • Actions that are commonly used in attacks, creation of a mailbox’s Inbox Rule, adding delegates or delegating Calendar access to other users.

These Owner events will be added to the service’s default mailbox configuration for auditing. Additional events auditable for the mailbox’s Delegation capabilities include further valuable scenarios that will also be added as default:

  • Mails sent on behalf of an individual.
  • A Delegate’s action to delete messages in a user’s mailbox or move them around folders.

Disable Auditing for your organization

I have seen scenario’s where the customer would like to disable this feature although it’s highly recommended to enable mailbox auditing to keep track of activities performed within a mailbox for security reasons. In case if you need to disable mailbox auditing for your organization you can run the following powershell cmdlets to disable or enable the auditing. Before you ran these cmdlets, you need to connect with Exchange Online PowerShell using admin account.

Office 365 Mailbox Auditing Enabled by Default

Set-OrganizationConfig -AuditDisabled $True

To enable mailbox auditing, run the following PowerShell cmdlet:

Office 365 Mailbox Auditing Enabled by Default

Set-OrganisationConfig -AuditDisabled $false