Audit Mailbox Permission Changes in Microsoft 365

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Role Groups: Audit Manager or Audit Reader.

Option 1 Using Microsoft 365 Purview Portal

Login to Microsoft 365 Purview portal.
Fill the below operations under the Activities - operation names.
Add-MailboxPermission, Get-MailboxPermission, Remove-MailboxPermission,Set-Mailbox, Add-RecipientPermission, Remove-RecipientPermission, Get-RecipientPermission
You will get the results for the above operations after clicking Search. Export the activities to audit the mailbox permission changes in your organization.

Option 2 Using Windows PowerShell

You can use the steps below to check the mailbox permission changes in Microsoft 365 using PowerShell.
Connect to Exchange Online module using the below cmdlet.
Windows PowerShell
```
 Connect-Exchangeonline
```
Now, run the below command to get the mailbox permission changes activities in your organization.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate YYYY-MM-DDTHH:MM:SS -EndDate YYYY-MM-DDTHH:MM:SS -RecordType "ExchangeAdmin" -Operations "Add-MailboxPermission", "Get -MailboxPermission", "Remove -MailboxPermission", "Set -Mailbox", "Add -RecipientPermission", "Remove -RecipientPermission", "Get -RecipientPermission" | Format-Table

Option 3 Using PowerShell Script

It is not efficient to use complex and lengthy PowerShell cmdlets to find all the mailbox permission changes activities in Exchange Online.
Therefore, we have prepared a PowerShell script to export mailbox permissions changes report to CSV.
Download and run the following script in the Administrator PowerShell.

AuditMailboxPermissionChanges.ps1

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Any user with report access assigned by Super Admin.

StepsUsing AdminDroid

Login to the AdminDroid Office 365 portal.
Navigate to the Mailbox Permission Changes section under Audit»Exchange.

Get the list of mailbox permission changes with properties like event time, authorized by, authorized via, operation, client IP, etc.

Use the built-in charts to find a user who modified the mailbox permissions and enable efficient mailbox activity monitoring.

Explore a full range of reporting options

Monitor mailbox permission changes to improve security

Never miss any unnecessary change in mailbox delegation! Monitor and manage Microsoft 365 mailbox permission changes effectively using AdminDroid.

Witness the report in action using the

Live Demo

Important Tips

Secure your Exchange Online mailboxes from fraudulent activities by blocking Microsoft 365 email auto-forwarding to external domains.

Disable access to Exchange Online Powershell to ensure that only authorized users can access your Exchange Online environment.

To reduce the risk of unauthorized email sending activity, implement Exchange Online mailbox moderation and enhance security for moderated recipients.

Exchange OnlineDetect Mailbox Permission Changes in Microsoft 365

Showing 1 of 6

How to check if mailbox auditing is enabled in Microsoft 365? What are the risks of mailbox permission changes in your Exchange Online? How to audit the mailbox permission changes in Microsoft 365? What are the different mailbox access rights in Microsoft 365? How to check permissions on a shared mailbox? How do I change mailbox permissions in Exchange Online?

How to check if mailbox auditing is enabled in Microsoft 365?

Microsoft 365 Purview has a tenant-wide audit logging configuration that automatically activates mailbox auditing for all Microsoft 365 mailboxes, group mailboxes, and shared mailboxes. This ensures that actions by admins, delegates, and owners are automatically audited for better security.

To check the status of the mailbox auditing, run the below cmdlet in Exchange Online PowerShell.

Get-OrganizationConfig | Select AuditDisabled

If it is true, then it means mailbox auditing is disabled for your organization. To enable mailbox auditing, you can use the below cmdlet.

Set-OrganizationConfig -AuditDisabled $False

Thus, mailbox auditing provides visibility into email activities that help to detect and respond to security incidents in your organization.

Utilize AdminDroid's mailbox audit configurations reports that provides detailed insights on Exchange Online mailbox audit details.

This empowers admins to easily identify and promptly enable mailbox auditing for individual mailboxes, to ensure thorough monitoring and compliance based on the organizational requirements.

What are the risks of mailbox permission changes in your Exchange Online?

Changing mailbox permissions in Exchange Online can lead to various risks, such as,

Data Breaches: Inappropriate mailbox permissions could lead to unauthorized access to sensitive email content, potentially resulting in data breaches or leaks.
Misuse of Privileges: Granting excessive permissions to users or groups may enable individuals to misuse their privileges, such as accessing sensitive information or performing unauthorized actions within mailboxes.
Internal Threats: Malicious insiders may exploit mailbox permission changes to access confidential information, perform sabotage, or engage in other malicious activities that could harm your organization.
Phishing attacks: Unauthorized mailbox permissions could let attackers access sensitive emails, helping them create convincing phishing emails compromising email security.

To mitigate these risks, organizations should establish concise guidelines for managing mailbox permissions, conduct regular compliance checks, and provide effective training to employees.

With AdminDroid's All Mailbox Operations report, you can track the activities, such as mailbox permissions, modifications, deletions, and rule changes within your Exchange Online environment.

How to audit the mailbox permission changes in Microsoft 365?

You can use the below cmdlet to check and find any unauthorized mailbox permission changes in Exchange Online.

Use the Search-UnifiedAuditLog cmdlet to get the mailbox permission changes activities.

Search-UnifiedAuditLog -StartDate YYYY-MM-DDTHH:MM:SS -EndDate YYYY-MM-DDTHH:MM:SS -RecordType "ExchangeAdmin"

Admins can easily track changes in Exchange mailbox permissions using PowerShell. However, filtering out changes related to Send On Behalf permissions is difficult since it occurs in different property.

Thus, with the help of the provided AuditMailboxPermissionChanges PowerShell script, you can generate multiple reports to manage mailbox permission changes in your Microsoft 365 organization.

Also, this script supports built-in filters. So, you can combine multiple filters to get more granular reports.

Below are a few major use cases

Track mailbox permission changes.
Audit mailbox permission for a custom period.
Detect who granted full access permission.
Check SendAs permission changes in mailboxes.
Find Send On Behalf permission changes.
Get monthly report on mailbox permission modifications
Schedule mailbox permission audit report.
Track mailbox delegation to external users.

Each of these use cases provides different insights into mailbox permission changes, making it easier to manage mailboxes in your organization.

What are the different mailbox access rights in Microsoft 365?

Various levels of access permissions can be assigned to users in Exchange Online to facilitate collaboration and ensure efficient management of mailbox activities.

Full Access: This permission allows users to fully manage the mailbox like the mailbox owner. This includes reading, sending, and deleting emails, as well as managing calendar events and other mailbox-related tasks.
Send As: This permission allows users to send emails from a mailbox, making it appear as if the emails are being sent by the mailbox owner in your Exchange Online.
Send on Behalf: This permission allows users to send email from a mailbox, on behalf of the mailbox owner. The recipient will view both the sender's and the mailbox owner's name in the From field of the email message.

These distinct levels of delegation allow organizations to customize who can access mailboxes based on their needs.

AdminDroid provides dedicated reports to find User’s Send As Activities and User’s Send On Behalf Activities, which helps in the monitoring of the delegated user’s mailbox activities.

To enhance security and ensure safe information sharing, you can use AdminDroid alert policies customized to your organization's needs. Creating alerts helps to detect potential threats or unauthorized access in real-time.

How to check permissions on a shared mailbox?

Shared mailboxes are commonly used in organizations to allow multiple users to access and manage emails sent from a specific address. Understanding who has access to a shared mailbox and what level of permissions they possess is crucial for preventing data breaches and loss of accountability. Follow the below steps to find the permissions of Exchange Online shared mailbox.

Go to the Microsoft 365 admin center.
Navigate to Teams and groups in the left navigation pane.
Choose Shared mailboxes to access the list of shared mailbox accounts in Microsoft 365.
Select the specific shared mailbox you want to manage.
Within the mailbox settings, locate Manage mailbox permissions, to find the delegation of a shared mailbox in Exchange Online.

Take a look at AdminDroid guide on how to export Microsoft 365 shared mailbox permissions report to obtain comprehensive details on shared mailbox delegation and its properties efficiently.

Here is a quick overview,

Using Microsoft 365 Admin CenterIt explains how we can use Microsoft admin center to view and manage all the shared mailbox permissions.
Exchange Online PowerShell CommandsIt provides a Powershell script to generate & export shared mailbox permissions and access rights in Exchange Online.
AdminDroid Exchange Online ReporterIt lets you dive deep into the monitoring of shared mailbox permissions and all other mailbox delegation reports, & offers automated reporting features for easier Exchange Online management.

How do I change mailbox permissions in Exchange Online?

Microsoft 365 admins often need to adjust mailbox permissions to accommodate changes in roles, responsibilities, or workforce arrangements. Understanding how to change mailbox permissions helps admins to grant or revoke access, delegate management tasks, and enforce security policies effectively. Follow the below steps to change mailbox permissions via Exchange Online.

Navigate to the Exchange admin center and go to Recipients»Mailboxes.
Select the mailbox for which you want to change permissions.
Choose the appropriate permissions (Full Access, Send As, Send on Behalf).
Select the user or group to which you want to grant permissions.
Click Save to apply the changes.

Managing delegate permissions across multiple Exchange Online mailboxes is crucial to prevent security breaches, compliance violations, and data leakage.

AdminDroid simplifies mailbox management process by offering a comprehensive guide to check Exchange Online mailbox permission reports, so that you can find every mailbox’s permissions in Exchange Online within Microsoft 365.

AdminDroid Exchange Online ReporterEnhance your Microsoft 365 security with our mailbox permission changes reports!

AdminDroid Exchange Online auditing reports provide thorough insights into mailbox permission changes, enabling admins to monitor and manage access rights effectively. With AdminDroid, you can easily track mailbox permissions, detect unauthorized access, and ensure compliance with security policies.

Discover the effective approach to handle Exchange mailbox permissions using AdminDroid!

Mailbox Permission Changes report under Audit»Exchange»Mailbox Permission Changes tracks mailbox delegation changes granted to users or groups for accessing specific mailboxes, enabling admins to promptly detect and rectify any unauthorized attempts to access mailboxes.

A Quick Summary

Overview of Mailbox Access Activities

Gain visibility into mailbox access activities, and stay updated on every aspect of mailbox interactions to prevent email vulnerabilities within the organization.

Never Miss the Mailbox Usage Activities

Utilize AdminDroid’s mailbox usage reports, and manage the mailbox storage efficiently before running out of space.

Be Updated on Forwarding Activities

Empower admins with email forwarding reports to check the status of mail forwarding and ensure secure mail flow in your organization.

Single Dashboard for Complete Mailbox Audit

Retrieve a mailbox analytics dashboard to gain insights into mailboxes and their permissions accumulated in a single place.

Avoid Threats with Proactive Mail Protection

Uphold email security by getting detailed insights on spam, malware, and phishing emails, including threat protection details using mail protection reports.

Stay Informed About Non-Owner Mailbox Access

Learn the various methods for generating comprehensive non-owner mailbox access report to track delegation activities and prevent email data leakage.

Overall, AdminDroid’s Exchange Online management tool provides valuable assistance in managing mailbox delegate permissions assigned to users, admins, and guests, and streamline the process of mailbox permission management.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps while checking mailbox permission changes in Microsoft 365.

The following are possible errors and troubleshooting hints while auditing mailbox permission changes.

Error: ./AuditMailboxPermissionChanges.ps1 cannot be loaded because running scripts is disabled on this system.

The script encounters this error due to the current execution policy being set to restricted by default, that prevents script execution.

Troubleshooting hint :To resolve this error, you can set the execution policy as RemoteSigned and run the script.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Error: Mailbox Audit Logging is not enabled.

This occurs when auditing has not been enabled for the specific mailbox.

Troubleshooting hint :Use the following cmdlet to activate auditing for the mailbox you encountered issues with.

Set-Mailbox <Display Name> -AuditEnabled $true

Error: Get-OrganizationConfig : The term 'Get-OrganizationConfig' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This issue occurs when you try to run the Exchange Online PowerShell cmdlets with insufficient permissions.

Troubleshooting hint :Please ensure that you possess one of the necessary administrative permissions listed below.

Global Administrator, Security Admin, Security Reader, Global Reader, or Reports Reader

Error: Write-ErrorMessage : |System.ArgumentException|Audit log search argument startDate (03/01/2024 00:00:00) is later than endDate (02/01/2024 00:00:00).

This issue occurs when the end date is earlier than the start date.

Troubleshooting hint :Ensure that the date format is correct and the end date should be ahead of the start date.

Error: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when you try to run the code without connecting to Exchange online.

Troubleshooting hint :First connect to Exchange Online before running the 'Search-UnifiedAuditLog' command.

Connect-ExchangeOnline

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Audit Mailbox Permission Changes in Exchange Online