Focusing on auditing mailbox activity such as administration operations and non-owner mailbox access, Randy took customers through the native capabilities through PowerShell and the Office 365 portal. Bryan Patton then shows how Change Auditor for Exchange made it easy for customers to be able to audit mailbox activity whether on premise Exchange or Exchange Online, and how having a 3rd party solution fills the gaps of native capabilities. Watch the webcast here: http://bit.ly/2hkbKPb.
3. Preview of key
points
Types of activity to audit in Exchange Online
Message tracking
Privileged access (admin)
Non-owner Mailbox access
Using PowerShell to manage auditing in ExchangeOnline
5. Message
tracking
Message flow
Who is emailing who?
Get-MessageTrace
https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/
message-trace-the-powershell-way/
http://o365info.com/performing-an-extended-message-trace-in-
office-365/
6. Admin
operations
Exporting mailboxes
Granting permissions
Setting up forwarding rules
Everything an admin does in Exchange is ultimately a
PowerShell command
Exchange audit’s admin activity at the PowerShell level
Enable for entire organization with
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -
AdminAuditLogCmdlets *
-AdminAuditLogParameters * -
AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
7. Admin
operations
Log via PowerShell
Interactive: Search-AdminAuditLog
Not details
Wait for email: New-AdminAuditLogSearch
Limited in result size
Log via Portal
Limited to pre-conceived search scenarios
Limited in result size
8. Non-Owner
Mailbox
Auditing
When does Bob access Alice’s mailbox to
View her email
Send email as her
Delete email
Track that with mailbox auditing
Must enable via PowerShell for each mailbox
Set-Mailbox -Identity "John Smith" -AuditDelegate
SendAs,SendOnBehalf,MessageBind,FolderBind
-AuditEnabled $true
10. Non-Owner
Mailbox
Auditing
Don’t enable –AuditOwner
Don’t distinguish between –AuditDelegate and –AuditAdmin
Always enable both
Most things an admin does are logged as delegate
Bogus events being triggered by some automated process?
Set-MailboxAuditBypassAssociation
12. Non-Owner
Mailbox
Auditing
How to get mailbox audit logs out?
Does not meet requirements
Search-MailboxAuditLog
The old way
New-SearchMailboxAuditLog
No longer works on Exchange 2016 or Exchange Online because of
severe limitations
Examples
13. Non-Owner
Mailbox
Auditing
Portal
Only useful for casual, targeted querying of recent activity
Can’t search users
What does work?
O365 Management Activity API
Requires significant application programming
Check out Quest Change Auditor coming up
16. Confidential16
Change Auditor
• Active Directory / LDS
• Azure Active Directory
• Active Directory Queries
• Logon, Logoff, User Sessions
• Exchange
• O365 Exchange Online
• SQL Server
• SharePoint
• Skype for Business
• Windows File Servers
• EMC Celerra, Isilon
• NetApp
• Dell Fluid File System
• Quest GPOADmin
• Quest Active Roles
• Quest Authentication
Services
• Quest Defender
Object protection
17. Confidential17
• Change Auditor provides complete, real-time change auditing, in-depth
forensics and comprehensive reporting on all key configuration, user and
administrator changes
Change Auditor
Who
Made the change?
Where
Was the change made from?
What
Object was changed?
When
Was the change made?
Why
Was the change made
(comment)?
Workstation
Where the change originated
from
Real-time
smart alerts
to any device