How to Detect Who Granted Full Access Permissions to Another User’s Mailbox

Native Auditing

1. Open the Exchange Management Shell, and run the following cmdlets:
   • Set-AdminAuditLogConfig – AdminAuditLogEnabled $true
   • Set-AdminAuditLogConfig – LogLevel Verbose (for Exchange 2013).
2. Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet "Add(Remove)-MailboxPermission" – where you can find information about who changed You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log". mailbox permissions, when it happened, to what mailbox and what kind of access to whom was given.
3. You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log".
4. Also via power shell - Open the Exchange Management Shell and run the following cmdlet:
   • Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission.

Netwrix Auditor for Exchange

1. Run Netwrix Auditor → Click "Reports" → choose Exchange → Choose "Mailbox Delegation and Permissions Changes" → click "View".