SlideShare a Scribd company logo

How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online

Quest
Quest

Focusing on auditing mailbox activity such as administration operations and non-owner mailbox access, Randy took customers through the native capabilities through PowerShell and the Office 365 portal. Bryan Patton then shows how Change Auditor for Exchange made it easy for customers to be able to audit mailbox activity whether on premise Exchange or Exchange Online, and how having a 3rd party solution fills the gaps of native capabilities. Watch the webcast here: http://bit.ly/2hkbKPb.

Software
1 of 19
Download to read offline
Sponsored by HowtoAuditPrivilegedOperations and MailboxAccessinOffice 365 ExchangeOnline © 2016 Monterey Technology Group Inc.
Thanks to  Made possible by
Preview of key points  Types of activity to audit in Exchange Online  Message tracking  Privileged access (admin)  Non-owner Mailbox access  Using PowerShell to manage auditing in ExchangeOnline
Exchange Online  Run PowerShell as Admin  Set-ExecutionPolicy RemoteSigned  $UserCredential = Get-Credential  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection  Import-PSSession $Session
Message tracking  Message flow  Who is emailing who?  Get-MessageTrace  https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/ message-trace-the-powershell-way/  http://o365info.com/performing-an-extended-message-trace-in- office-365/
Admin operations  Exporting mailboxes  Granting permissions  Setting up forwarding rules  Everything an admin does in Exchange is ultimately a PowerShell command  Exchange audit’s admin activity at the PowerShell level  Enable for entire organization with  Set-AdminAuditLogConfig -AdminAuditLogEnabled $true - AdminAuditLogCmdlets * -AdminAuditLogParameters * - AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
Admin operations  Log via PowerShell  Interactive: Search-AdminAuditLog  Not details  Wait for email: New-AdminAuditLogSearch  Limited in result size  Log via Portal  Limited to pre-conceived search scenarios  Limited in result size
Non-Owner Mailbox Auditing  When does Bob access Alice’s mailbox to  View her email  Send email as her  Delete email  Track that with mailbox auditing  Must enable via PowerShell for each mailbox  Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind -AuditEnabled $true
Non-Owner Mailbox Auditing Action Administrator Delegate Owner Copy • n/a n/a Create • • • FolderBind • • • HardDelete • • • MessageBind • n/a n/a Move • • • MoveToDeletedIt ems • • • SendAs • • n/a SendOnBehalf • • n/a SoftDelete • • • Update • • •
Non-Owner Mailbox Auditing  Don’t enable –AuditOwner  Don’t distinguish between –AuditDelegate and –AuditAdmin  Always enable both  Most things an admin does are logged as delegate  Bogus events being triggered by some automated process?  Set-MailboxAuditBypassAssociation
Non-Owner Mailbox Auditing  How to get mailbox audit logs out?  This is complicated
Non-Owner Mailbox Auditing  How to get mailbox audit logs out?  Does not meet requirements  Search-MailboxAuditLog  The old way  New-SearchMailboxAuditLog  No longer works on Exchange 2016 or Exchange Online because of severe limitations  Examples
Non-Owner Mailbox Auditing  Portal  Only useful for casual, targeted querying of recent activity  Can’t search users  What does work?  O365 Management Activity API  Requires significant application programming  Check out Quest Change Auditor coming up
Bottom line  Office 365 captures the audit data  If you have a specific case you want to research, you can probably find the activity using the online portal  If you want enterprise logging for compliance and security  Long term archival  Powerful, comprehensive search  Alerting  Correlation with other activity feeds  You need more than base functionality  CheckoutQuest ChangeAuditor © 2016 Monterey Technology Group Inc.
Change Auditor – Office 365 Exchange Bryan Patton, CISSP
Confidential16 Change Auditor • Active Directory / LDS • Azure Active Directory • Active Directory Queries • Logon, Logoff, User Sessions • Exchange • O365 Exchange Online • SQL Server • SharePoint • Skype for Business • Windows File Servers • EMC Celerra, Isilon • NetApp • Dell Fluid File System • Quest GPOADmin • Quest Active Roles • Quest Authentication Services • Quest Defender Object protection
Confidential17 • Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes Change Auditor Who Made the change? Where Was the change made from? What Object was changed? When Was the change made? Why Was the change made (comment)? Workstation Where the change originated from Real-time smart alerts to any device
Demonstration
Questions? www.quest.com/change-auditor

Recommended

Spsct15 power shell_csom - amit vasu
Spsct15 power shell_csom - amit vasuSpsct15 power shell_csom - amit vasu
Spsct15 power shell_csom - amit vasu
amitvasu
 
Office 365 Directory Synchronization
Office 365 Directory SynchronizationOffice 365 Directory Synchronization
Office 365 Directory Synchronization
amitvasu
 
Office 365 directory synchronization - SPSDC Reston
Office 365 directory synchronization - SPSDC RestonOffice 365 directory synchronization - SPSDC Reston
Office 365 directory synchronization - SPSDC Reston
amitvasu
 
Spsdc 2014 o365_power_shell_csom_amitv
Spsdc 2014 o365_power_shell_csom_amitvSpsdc 2014 o365_power_shell_csom_amitv
Spsdc 2014 o365_power_shell_csom_amitv
amitvasu
 
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Bram de Jager
 
SPConnect2014 Office 365 APIs
SPConnect2014 Office 365 APIsSPConnect2014 Office 365 APIs
SPConnect2014 Office 365 APIs
Wes Hackett
 
Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010
Ben Robb
 
Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon
Building Apps for SharePoint 2013 by Andrew Connell - SPTechConBuilding Apps for SharePoint 2013 by Andrew Connell - SPTechCon
Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon
SPTechCon
 

Recommended

Spsct15 power shell_csom - amit vasu
Spsct15 power shell_csom - amit vasuSpsct15 power shell_csom - amit vasu
Spsct15 power shell_csom - amit vasu
amitvasu
 
Office 365 Directory Synchronization
Office 365 Directory SynchronizationOffice 365 Directory Synchronization
Office 365 Directory Synchronization
amitvasu
 
Office 365 directory synchronization - SPSDC Reston
Office 365 directory synchronization - SPSDC RestonOffice 365 directory synchronization - SPSDC Reston
Office 365 directory synchronization - SPSDC Reston
amitvasu
 
Spsdc 2014 o365_power_shell_csom_amitv
Spsdc 2014 o365_power_shell_csom_amitvSpsdc 2014 o365_power_shell_csom_amitv
Spsdc 2014 o365_power_shell_csom_amitv
amitvasu
 
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Developing hybrid SharePoint apps that run on-premise and in the cloud - ESPC...
Bram de Jager
 
SPConnect2014 Office 365 APIs
SPConnect2014 Office 365 APIsSPConnect2014 Office 365 APIs
SPConnect2014 Office 365 APIs
Wes Hackett
 
Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010
Ben Robb
 
Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon
Building Apps for SharePoint 2013 by Andrew Connell - SPTechConBuilding Apps for SharePoint 2013 by Andrew Connell - SPTechCon
Building Apps for SharePoint 2013 by Andrew Connell - SPTechCon
SPTechCon
 
SharePoint 2010 Client Object Model
SharePoint 2010 Client Object ModelSharePoint 2010 Client Object Model
SharePoint 2010 Client Object Model
G. Scott Singleton
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
NCCOMMS
 
Webinar functional testing automation slideshare
Webinar functional testing automation slideshareWebinar functional testing automation slideshare
Webinar functional testing automation slideshare
SOASTA
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)
Kashif Imran
 
Mastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmansMastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmans
Yannick Borghmans
 
SPS Vienna 2017
SPS Vienna 2017SPS Vienna 2017
SPS Vienna 2017
Joëlle Ruelle
 
Auditing and Analysis methodologies for your Office365 tenant
Auditing and Analysis methodologies for your Office365 tenantAuditing and Analysis methodologies for your Office365 tenant
Auditing and Analysis methodologies for your Office365 tenant
Joelle Ruelle
 
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
NCCOMMS
 
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
Ivan Sanders
 
REST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action LinksREST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action Links
Salesforce Developers
 
Connector API Apps
Connector API AppsConnector API Apps
Connector API Apps
BizTalk360
 
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the EnvironmentsO365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
Ivan Sanders
 
Hard learned CSOM and REST tips
Hard learned CSOM and REST tipsHard learned CSOM and REST tips
Hard learned CSOM and REST tips
SPC Adriatics
 
SharePoint 2013 REST APIs
SharePoint 2013 REST APIsSharePoint 2013 REST APIs
SharePoint 2013 REST APIs
Giuseppe Marchi
 
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
Daniel Toomey
 
Query in share point by mule
Query in share point by muleQuery in share point by mule
Query in share point by mule
Son Nguyen
 
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
NCCOMMS
 
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
Ivan Sanders
 
Creating reusable pieces in Logic Apps
Creating reusable pieces in Logic AppsCreating reusable pieces in Logic Apps
Creating reusable pieces in Logic Apps
BizTalk360
 
SPS London 2017
SPS London 2017SPS London 2017
SPS London 2017
Joëlle Ruelle
 
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial GuideSPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
Stephan Bisser
 

More Related Content

What's hot

Mastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmansMastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmans
Yannick Borghmans
 
REST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action LinksREST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action Links
Salesforce Developers
 

What's hot (20)

SharePoint 2010 Client Object Model
SharePoint 2010 Client Object ModelSharePoint 2010 Client Object Model
SharePoint 2010 Client Object Model
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
Webinar functional testing automation slideshare
Webinar functional testing automation slideshareWebinar functional testing automation slideshare
Webinar functional testing automation slideshare
 
SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)SharePoint Client Object Model (CSOM)
SharePoint Client Object Model (CSOM)
 
Mastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmansMastering sp fx in larger projects yannick borghmans
Mastering sp fx in larger projects yannick borghmans
 
SPS Vienna 2017
SPS Vienna 2017SPS Vienna 2017
SPS Vienna 2017
 
Auditing and Analysis methodologies for your Office365 tenant
Auditing and Analysis methodologies for your Office365 tenantAuditing and Analysis methodologies for your Office365 tenant
Auditing and Analysis methodologies for your Office365 tenant
 
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
 
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
O365 DEVCamp Los Angeles June 16, 2015 Module 06 Hook into SharePoint APIs wi...
 
REST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action LinksREST API: Do More in the Feed with Action Links
REST API: Do More in the Feed with Action Links
 
Connector API Apps
Connector API AppsConnector API Apps
Connector API Apps
 
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the EnvironmentsO365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
O365 DEVCamp Los Angeles June 16, 2015 Module 02 Setting up the Environments
 
Hard learned CSOM and REST tips
Hard learned CSOM and REST tipsHard learned CSOM and REST tips
Hard learned CSOM and REST tips
 
SharePoint 2013 REST APIs
SharePoint 2013 REST APIsSharePoint 2013 REST APIs
SharePoint 2013 REST APIs
 
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
 
Query in share point by mule
Query in share point by muleQuery in share point by mule
Query in share point by mule
 
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
O365Con18 - Reach for the Cloud Build Solutions with the Power of Microsoft G...
 
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
O365 DEVCamp Los Angeles June 16, 2015 Module 05 Hook into Apps for Office
 
Creating reusable pieces in Logic Apps
Creating reusable pieces in Logic AppsCreating reusable pieces in Logic Apps
Creating reusable pieces in Logic Apps
 

Similar to How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online

Solve Todays Problems with 10 New SharePoint 2010 Features
Solve Todays Problems with 10 New SharePoint 2010 FeaturesSolve Todays Problems with 10 New SharePoint 2010 Features
Solve Todays Problems with 10 New SharePoint 2010 Features
Cory Peters
 
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Toni Frankola
 

Similar to How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online (20)

SPS London 2017
SPS London 2017SPS London 2017
SPS London 2017
 
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial GuideSPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
 
Spstc2011 Developing Reusable Workflow Features
Spstc2011 Developing Reusable Workflow FeaturesSpstc2011 Developing Reusable Workflow Features
Spstc2011 Developing Reusable Workflow Features
 
Office365 groups from the ground up - SPTechCon Boston
Office365 groups from the ground up - SPTechCon BostonOffice365 groups from the ground up - SPTechCon Boston
Office365 groups from the ground up - SPTechCon Boston
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
 
Travis Wright - Complete it service management
Travis Wright - Complete it service managementTravis Wright - Complete it service management
Travis Wright - Complete it service management
 
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
 
Azure automation
Azure automationAzure automation
Azure automation
 
Solve Todays Problems with 10 New SharePoint 2010 Features
Solve Todays Problems with 10 New SharePoint 2010 FeaturesSolve Todays Problems with 10 New SharePoint 2010 Features
Solve Todays Problems with 10 New SharePoint 2010 Features
 
Exchange Server 2010
Exchange Server 2010Exchange Server 2010
Exchange Server 2010
 
SPO Migration - New API
SPO Migration - New APISPO Migration - New API
SPO Migration - New API
 
SharePoint 2010 - What's New?
SharePoint 2010 - What's New?SharePoint 2010 - What's New?
SharePoint 2010 - What's New?
 
Introduction to Azure logic apps
Introduction to Azure logic appsIntroduction to Azure logic apps
Introduction to Azure logic apps
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
 
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
Governance in the Modern Workplace: SharePoint, OneDrive, Groups, Teams, Flow...
 
CASPUG - Developing Reusable Workflow Features
CASPUG - Developing Reusable Workflow FeaturesCASPUG - Developing Reusable Workflow Features
CASPUG - Developing Reusable Workflow Features
 
June 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdfJune 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdf
 
EO-TH-v2-End-Users.pptx
EO-TH-v2-End-Users.pptxEO-TH-v2-End-Users.pptx
EO-TH-v2-End-Users.pptx
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
 

More from Quest

More from Quest (20)

DBA vs Deadlock: How to Out-Index a Deadly Blocking Scenario
DBA vs Deadlock: How to Out-Index a Deadly Blocking ScenarioDBA vs Deadlock: How to Out-Index a Deadly Blocking Scenario
DBA vs Deadlock: How to Out-Index a Deadly Blocking Scenario
 
Got Open Source?
Got Open Source?Got Open Source?
Got Open Source?
 
SQL Server 2017 Enhancements You Need To Know
SQL Server 2017 Enhancements You Need To KnowSQL Server 2017 Enhancements You Need To Know
SQL Server 2017 Enhancements You Need To Know
 
Quest to the Cloud - Identifying the Barriers to Accelerate Office 365 Adoption
Quest to the Cloud - Identifying the Barriers to Accelerate Office 365 AdoptionQuest to the Cloud - Identifying the Barriers to Accelerate Office 365 Adoption
Quest to the Cloud - Identifying the Barriers to Accelerate Office 365 Adoption
 
Top 10 Enterprise Reporter Reports You Didn't Know You Needed
Top 10 Enterprise Reporter Reports You Didn't Know You NeededTop 10 Enterprise Reporter Reports You Didn't Know You Needed
Top 10 Enterprise Reporter Reports You Didn't Know You Needed
 
Migrating to Windows 10: Starting Fast. Finishing Strong
Migrating to Windows 10: Starting Fast. Finishing StrongMigrating to Windows 10: Starting Fast. Finishing Strong
Migrating to Windows 10: Starting Fast. Finishing Strong
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Ensuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint ManagementEnsuring Rock-Solid Unified Endpoint Management
Ensuring Rock-Solid Unified Endpoint Management
 
Effective Patch and Software Update Management
Effective Patch and Software Update ManagementEffective Patch and Software Update Management
Effective Patch and Software Update Management
 
Predicting the Future of Endpoint Management in a Mobile World
Predicting the Future of Endpoint Management in a Mobile WorldPredicting the Future of Endpoint Management in a Mobile World
Predicting the Future of Endpoint Management in a Mobile World
 
Investigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachInvestigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security Breach
 
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
 
Sounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingSounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and Alerting
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment
 
Reducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security BreachReducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security Breach
 
Office 365 Best Practices That You Are Not Thinking About
Office 365 Best Practices That You Are Not Thinking AboutOffice 365 Best Practices That You Are Not Thinking About
Office 365 Best Practices That You Are Not Thinking About
 
How to Restructure Active Directory with ZeroIMPACT
How to Restructure Active Directory with ZeroIMPACTHow to Restructure Active Directory with ZeroIMPACT
How to Restructure Active Directory with ZeroIMPACT
 
How to Secure Access Control in Office 365 Environments
How to Secure Access Control in Office 365 EnvironmentsHow to Secure Access Control in Office 365 Environments
How to Secure Access Control in Office 365 Environments
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
 
Your Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemYour Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome Them
 

Recently uploaded

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Recently uploaded (20)

Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 

How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online

  • 1. Sponsored by HowtoAuditPrivilegedOperations and MailboxAccessinOffice 365 ExchangeOnline © 2016 Monterey Technology Group Inc.
  • 2. Thanks to  Made possible by
  • 3. Preview of key points  Types of activity to audit in Exchange Online  Message tracking  Privileged access (admin)  Non-owner Mailbox access  Using PowerShell to manage auditing in ExchangeOnline
  • 4. Exchange Online  Run PowerShell as Admin  Set-ExecutionPolicy RemoteSigned  $UserCredential = Get-Credential  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection  Import-PSSession $Session
  • 5. Message tracking  Message flow  Who is emailing who?  Get-MessageTrace  https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/ message-trace-the-powershell-way/  http://o365info.com/performing-an-extended-message-trace-in- office-365/
  • 6. Admin operations  Exporting mailboxes  Granting permissions  Setting up forwarding rules  Everything an admin does in Exchange is ultimately a PowerShell command  Exchange audit’s admin activity at the PowerShell level  Enable for entire organization with  Set-AdminAuditLogConfig -AdminAuditLogEnabled $true - AdminAuditLogCmdlets * -AdminAuditLogParameters * - AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
  • 7. Admin operations  Log via PowerShell  Interactive: Search-AdminAuditLog  Not details  Wait for email: New-AdminAuditLogSearch  Limited in result size  Log via Portal  Limited to pre-conceived search scenarios  Limited in result size
  • 8. Non-Owner Mailbox Auditing  When does Bob access Alice’s mailbox to  View her email  Send email as her  Delete email  Track that with mailbox auditing  Must enable via PowerShell for each mailbox  Set-Mailbox -Identity "John Smith" -AuditDelegate SendAs,SendOnBehalf,MessageBind,FolderBind -AuditEnabled $true
  • 9. Non-Owner Mailbox Auditing Action Administrator Delegate Owner Copy • n/a n/a Create • • • FolderBind • • • HardDelete • • • MessageBind • n/a n/a Move • • • MoveToDeletedIt ems • • • SendAs • • n/a SendOnBehalf • • n/a SoftDelete • • • Update • • •
  • 10. Non-Owner Mailbox Auditing  Don’t enable –AuditOwner  Don’t distinguish between –AuditDelegate and –AuditAdmin  Always enable both  Most things an admin does are logged as delegate  Bogus events being triggered by some automated process?  Set-MailboxAuditBypassAssociation
  • 11. Non-Owner Mailbox Auditing  How to get mailbox audit logs out?  This is complicated
  • 12. Non-Owner Mailbox Auditing  How to get mailbox audit logs out?  Does not meet requirements  Search-MailboxAuditLog  The old way  New-SearchMailboxAuditLog  No longer works on Exchange 2016 or Exchange Online because of severe limitations  Examples
  • 13. Non-Owner Mailbox Auditing  Portal  Only useful for casual, targeted querying of recent activity  Can’t search users  What does work?  O365 Management Activity API  Requires significant application programming  Check out Quest Change Auditor coming up
  • 14. Bottom line  Office 365 captures the audit data  If you have a specific case you want to research, you can probably find the activity using the online portal  If you want enterprise logging for compliance and security  Long term archival  Powerful, comprehensive search  Alerting  Correlation with other activity feeds  You need more than base functionality  CheckoutQuest ChangeAuditor © 2016 Monterey Technology Group Inc.
  • 15. Change Auditor – Office 365 Exchange Bryan Patton, CISSP
  • 16. Confidential16 Change Auditor • Active Directory / LDS • Azure Active Directory • Active Directory Queries • Logon, Logoff, User Sessions • Exchange • O365 Exchange Online • SQL Server • SharePoint • Skype for Business • Windows File Servers • EMC Celerra, Isilon • NetApp • Dell Fluid File System • Quest GPOADmin • Quest Active Roles • Quest Authentication Services • Quest Defender Object protection
  • 17. Confidential17 • Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes Change Auditor Who Made the change? Where Was the change made from? What Object was changed? When Was the change made? Why Was the change made (comment)? Workstation Where the change originated from Real-time smart alerts to any device