How to Detect Who Accessed Another User’s Mailbox in Exchange Online

Native Auditing vs. Netwrix Auditor for Office 365

Native Auditing Netwrix Auditor for Office 365
  1. Open PowerShell → Run the following command to connect with Exchange Online instance and enter your credentials in the pop-up window:

    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session

  2. To enable mailbox auditing run:
    • For a single mailbox:
      Set-Mailbox –Identity "TestUser" -AuditEnabled $true
    • For all mailboxes:
      $UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
      $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
    • To check what mailboxes have auditing enabled run:
      Get-Mailbox  | FL Name,AuditEnabled
  3. Open Exchange Administration Center → Navigate to "Compliance Management" Auditing.
  4. Click "Run a non-owner mailbox access report". You will get the report on non-owner access to all mailboxes with enabled auditing over the past two weeks.
  5. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.
  1. Run Netwrix Auditor → Click "Reports" → Choose Exchange Online → Choose "All Exchange Non-Owner Mailbox Access Events" → Click "View".
  2. In order to save a report, click "Export" button → PDF → Save as → Choose a location to save it.

Promptly Detect Access to Shared Mailboxes to Ensure Data Security

Using shared mailboxes in Office 365 can facilitate communication in team projects. However, giving multiple users access permissions for the same mailbox increases the risk of security incidents and leaks of sensitive data. Non-owners with access rights can, unintentionally or maliciously, forward a message, move an e-mail with sensitive content to another location, or — even worse — delete something important from an Exchange Online shared mailbox.

To better protect data and minimize risk, IT pros need to continually monitor non-owner access to any shared mailbox in Office 365. Netwrix Auditor for Exchange Online tracks all access to other users’ mailboxes and shared mailboxes in Office 365. By subscribing to the All Exchange Online Non-Owner Mailbox Access Events by User report, IT pros can quickly identify who accessed another user’s mailbox, including any Office 365 shared mailbox, and see exactly what actions, sanctioned or unsanctioned, were performed.

Got Feedback? Share!