How to Detect Who Modified Mailbox Permissions in Exchange Online


Native Auditing vs. Netwrix Auditor for Office 365

Native Auditing Netwrix Auditor for Office 365
Steps
  1. Open Exchange Administrative Console in Internet Explorer → Navigate to "Compliance management" → Choose "Auditing" → Choose "Run the admin audit log report…"
  2. Choose a start date and end date → Click "Search". You will see all configuration changes made during the specified time period.

  3. Sort the list by cmdlet and find "Add-MailboxPermission" one → Click on it for details

  4. You will see who changed permissions ("User"), which mailbox permissions were changed and how ("Parameters").

  1. Run Netwrix Auditor → Navigate to "Search" → Click "Advanced" and specify the following criteria:
    • Filter – "Audited System";
      Operator – "=(Equals)";
      Value – "Exchange Online"
    • Filter – "Details";
      Operator – "Contains";
      Value – "Access Rights"
  2. Click "Modify" → Click "Search".

  3. After that, you will see which mailbox permissions were modified, who did that and when it was done.


Continuously Monitor Mailbox Permissions to Timely Detect Unauthorized Changes

Anyone who gets mailbox permissions in Exchange Online gains access to all the contents of that mailbox. They can read messages, change or delete items, move content to another location, distribute it and more — without the mailbox owner even being aware of these actions. Therefore, to protect sensitive mailbox content and prevent data leakage, organizations need to continuously monitor mailbox permission changes and be able to quickly determine what permissions were modified and by whom.

Netwrix Auditor for Office 365 delivers complete visibility into hybrid cloud IT environments, including mailbox permission changes and data access in on-premises Exchange and Exchange Online. The solution informs about every Exchange Online change, improving Office 365 email security. With Netwrix Auditor Interactive Search feature, IT pros can determine in minutes which mailbox permissions were modified, who set new mailbox permissions, and when each change happened — mitigating the risk of data leaks.

Got Feedback? Share!