Exchange Online: How to Detect Who Modified Mailbox Permissions

  • Article

Why It is Important

Anyone who gets mailbox permissions in Exchange Online gains access to all the contents of that mailbox. They can read messages, change or delete items, move content to another location, distribute it and more — without the mailbox owner even being aware of these actions. Therefore, to protect sensitive mailbox content and prevent data leakage, organizations need to continuously monitor mailbox permission changes and be able to quickly determine what permissions were modified and by whom.

Native Auditing

  1. Open Exchange Administrative Console in Internet Explorer → Navigate to "Compliance management" → Choose "Auditing" → Choose "Run the admin audit log report…"

  2. Choose a start date and end date → Click "Search". You will see all configuration changes made during the specified time period.

  3. Sort the list by cmdlet and find "Add-MailboxPermission" one → Click it for details

  4. You will see who changed permissions ("User"), which mailbox permissions were changed and how ("Parameters").

  5. Report example:

https://img.netwrix.com/landings/howtofriday/30/native.png

Credits

Originally posted - https://www.netwrix.com/how_to_monitor_mailbox_permission_changes.html