This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Audit Mailbox Permission Changes in Exchange Online

Unauthorized mailbox access in Exchange Online allows individuals to read and access organization’s mailboxes, resulting in sensitive data leakage. Also, managing all those mailboxes has always been a challenging task for admins. This guide explores effective methods to detect mailbox permission changes to prevent security breaches in Microsoft 365.

Native Solution

Microsoft 365 Permission Required


Global Admin, Role Groups: Audit Manager or Audit Reader.

Option 1 Using Microsoft 365 Purview Portal

  • Login to Microsoft 365 Purview portal.
  • Fill the below operations under the Activities - operation names.

    Add-MailboxPermission, Get-MailboxPermission, Remove-MailboxPermission,Set-Mailbox, Add-RecipientPermission, Remove-RecipientPermission, Get-RecipientPermission

  • You will get the results for the above operations after clicking Search. Export the activities to audit the mailbox permission changes in your organization.
Using Microsoft 365 Purview Portal

Option 2 Using Windows PowerShell

  • You can use the steps below to check the mailbox permission changes in Microsoft 365 using PowerShell.
  • Connect to Exchange Online module using the below cmdlet.
  • Windows PowerShell Windows PowerShell
  • Now, run the below command to get the mailbox permission changes activities in your organization.
  • Windows PowerShell Windows PowerShell
     Search-UnifiedAuditLog -StartDate YYYY-MM-DDTHH:MM:SS -EndDate YYYY-MM-DDTHH:MM:SS -RecordType "ExchangeAdmin" -Operations "Add-MailboxPermission", "Get -MailboxPermission", "Remove -MailboxPermission", "Set -Mailbox", "Add -RecipientPermission", "Remove -RecipientPermission", "Get -RecipientPermission" | Format-Table
Using Windows PowerShell

Option 3 Using PowerShell Script

  • It is not efficient to use complex and lengthy PowerShell cmdlets to find all the mailbox permission changes activities in Exchange Online.
  • Therefore, we have prepared a PowerShell script to export mailbox permissions changes report to CSV.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under free edition.

AdminDroid Permission Required

Any user with report access assigned by Super Admin.

StepsUsing AdminDroid

  • Login to the AdminDroid Office 365 portal.
  • Navigate to the Mailbox Permission Changes section under Audit»Exchange.
Using AdminDroid

Get the list of mailbox permission changes with properties like event time, authorized by, authorized via, operation, client IP, etc.

  • Use the built-in charts to find a user who modified the mailbox permissions and enable efficient mailbox activity monitoring.

Monitor mailbox permission changes to improve security

Never miss any unnecessary change in mailbox delegation! Monitor and manage Microsoft 365 mailbox permission changes effectively using AdminDroid.

Witness the report in action using the

Exchange OnlineDetect Mailbox Permission Changes in Microsoft 365

Showing 1 of 6

How to check if mailbox auditing is enabled in Microsoft 365?

Microsoft 365 Purview has a tenant-wide audit logging configuration that automatically activates mailbox auditing for all Microsoft 365 mailboxes, group mailboxes, and shared mailboxes. This ensures that actions by admins, delegates, and owners are automatically audited for better security.

To check the status of the mailbox auditing, run the below cmdlet in Exchange Online PowerShell.

Get-OrganizationConfig | Select AuditDisabled

If it is true, then it means mailbox auditing is disabled for your organization. To enable mailbox auditing, you can use the below cmdlet.

Set-OrganizationConfig -AuditDisabled $False

Thus, mailbox auditing provides visibility into email activities that help to detect and respond to security incidents in your organization.

Utilize AdminDroid's mailbox audit configurations reports that provides detailed insights on Exchange Online mailbox audit details.

  • This empowers admins to easily identify and promptly enable mailbox auditing for individual mailboxes, to ensure thorough monitoring and compliance based on the organizational requirements.

What are the risks of mailbox permission changes in your Exchange Online?

Changing mailbox permissions in Exchange Online can lead to various risks, such as,

  • Data Breaches: Inappropriate mailbox permissions could lead to unauthorized access to sensitive email content, potentially resulting in data breaches or leaks.
  • Misuse of Privileges: Granting excessive permissions to users or groups may enable individuals to misuse their privileges, such as accessing sensitive information or performing unauthorized actions within mailboxes.
  • Internal Threats: Malicious insiders may exploit mailbox permission changes to access confidential information, perform sabotage, or engage in other malicious activities that could harm your organization.
  • Phishing attacks: Unauthorized mailbox permissions could let attackers access sensitive emails, helping them create convincing phishing emails compromising email security.

To mitigate these risks, organizations should establish concise guidelines for managing mailbox permissions, conduct regular compliance checks, and provide effective training to employees.

  • With AdminDroid's All Mailbox Operations report, you can track the activities, such as mailbox permissions, modifications, deletions, and rule changes within your Exchange Online environment.

How to audit the mailbox permission changes in Microsoft 365?

You can use the below cmdlet to check and find any unauthorized mailbox permission changes in Exchange Online.

Use the Search-UnifiedAuditLog cmdlet to get the mailbox permission changes activities.

Search-UnifiedAuditLog -StartDate YYYY-MM-DDTHH:MM:SS -EndDate YYYY-MM-DDTHH:MM:SS -RecordType "ExchangeAdmin"

Admins can easily track changes in Exchange mailbox permissions using PowerShell. However, filtering out changes related to Send On Behalf permissions is difficult since it occurs in different property.

Thus, with the help of the provided AuditMailboxPermissionChanges PowerShell script, you can generate multiple reports to manage mailbox permission changes in your Microsoft 365 organization.

Also, this script supports built-in filters. So, you can combine multiple filters to get more granular reports.

Below are a few major use cases

  • Track mailbox permission changes.
  • Audit mailbox permission for a custom period.
  • Detect who granted full access permission.
  • Check SendAs permission changes in mailboxes.
  • Find Send On Behalf permission changes.
  • Get monthly report on mailbox permission modifications
  • Schedule mailbox permission audit report.
  • Track mailbox delegation to external users.

Each of these use cases provides different insights into mailbox permission changes, making it easier to manage mailboxes in your organization.

What are the different mailbox access rights in Microsoft 365?

Various levels of access permissions can be assigned to users in Exchange Online to facilitate collaboration and ensure efficient management of mailbox activities.

  • Full Access: This permission allows users to fully manage the mailbox like the mailbox owner. This includes reading, sending, and deleting emails, as well as managing calendar events and other mailbox-related tasks.
  • Send As: This permission allows users to send emails from a mailbox, making it appear as if the emails are being sent by the mailbox owner in your Exchange Online.
  • Send on Behalf: This permission allows users to send email from a mailbox, on behalf of the mailbox owner. The recipient will view both the sender's and the mailbox owner's name in the From field of the email message.

These distinct levels of delegation allow organizations to customize who can access mailboxes based on their needs.

AdminDroid provides dedicated reports to find User’s Send As Activities and User’s Send On Behalf Activities, which helps in the monitoring of the delegated user’s mailbox activities.

  • To enhance security and ensure safe information sharing, you can use AdminDroid alert policies customized to your organization's needs. Creating alerts helps to detect potential threats or unauthorized access in real-time.
send as

How to check permissions on a shared mailbox?

Shared mailboxes are commonly used in organizations to allow multiple users to access and manage emails sent from a specific address. Understanding who has access to a shared mailbox and what level of permissions they possess is crucial for preventing data breaches and loss of accountability. Follow the below steps to find the permissions of Exchange Online shared mailbox.

  • Go to the Microsoft 365 admin center.
  • Navigate to Teams and groups in the left navigation pane.
  • Choose Shared mailboxes to access the list of shared mailbox accounts in Microsoft 365.
  • Select the specific shared mailbox you want to manage.
  • Within the mailbox settings, locate Manage mailbox permissions, to find the delegation of a shared mailbox in Exchange Online.

Take a look at AdminDroid guide on how to export Microsoft 365 shared mailbox permissions report to obtain comprehensive details on shared mailbox delegation and its properties efficiently.

Here is a quick overview,

  • Using Microsoft 365 Admin CenterIt explains how we can use Microsoft admin center to view and manage all the shared mailbox permissions.
  • Exchange Online PowerShell CommandsIt provides a Powershell script to generate & export shared mailbox permissions and access rights in Exchange Online.
  • AdminDroid Exchange Online ReporterIt lets you dive deep into the monitoring of shared mailbox permissions and all other mailbox delegation reports, & offers automated reporting features for easier Exchange Online management.

How do I change mailbox permissions in Exchange Online?

Microsoft 365 admins often need to adjust mailbox permissions to accommodate changes in roles, responsibilities, or workforce arrangements. Understanding how to change mailbox permissions helps admins to grant or revoke access, delegate management tasks, and enforce security policies effectively. Follow the below steps to change mailbox permissions via Exchange Online.

  • Navigate to the Exchange admin center and go to Recipients»Mailboxes.
  • Select the mailbox for which you want to change permissions.
  • Choose the appropriate permissions (Full Access, Send As, Send on Behalf).
  • Select the user or group to which you want to grant permissions.
  • Click Save to apply the changes.

Managing delegate permissions across multiple Exchange Online mailboxes is crucial to prevent security breaches, compliance violations, and data leakage.

AdminDroid simplifies mailbox management process by offering a comprehensive guide to check Exchange Online mailbox permission reports, so that you can find every mailbox’s permissions in Exchange Online within Microsoft 365.

AdminDroid Exchange Online ReporterEnhance your Microsoft 365 security with our mailbox permission changes reports!

AdminDroid Exchange Online auditing reports provide thorough insights into mailbox permission changes, enabling admins to monitor and manage access rights effectively. With AdminDroid, you can easily track mailbox permissions, detect unauthorized access, and ensure compliance with security policies.

Discover the effective approach to handle Exchange mailbox permissions using AdminDroid!

Mailbox Permission Changes report under Audit»Exchange»Mailbox Permission Changes tracks mailbox delegation changes granted to users or groups for accessing specific mailboxes, enabling admins to promptly detect and rectify any unauthorized attempts to access mailboxes.

A Quick Summary

Overview of Mailbox Access Activities

Gain visibility into mailbox access activities, and stay updated on every aspect of mailbox interactions to prevent email vulnerabilities within the organization.

Never Miss the Mailbox Usage Activities

Utilize AdminDroid’s mailbox usage reports, and manage the mailbox storage efficiently before running out of space.

Be Updated on Forwarding Activities

Empower admins with email forwarding reports to check the status of mail forwarding and ensure secure mail flow in your organization.

Single Dashboard for Complete Mailbox Audit

Retrieve a mailbox analytics dashboard to gain insights into mailboxes and their permissions accumulated in a single place.

Avoid Threats with Proactive Mail Protection

Uphold email security by getting detailed insights on spam, malware, and phishing emails, including threat protection details using mail protection reports.

Stay Informed About Non-Owner Mailbox Access

Learn the various methods for generating comprehensive non-owner mailbox access report to track delegation activities and prevent email data leakage.

Overall, AdminDroid’s Exchange Online management tool provides valuable assistance in managing mailbox delegate permissions assigned to users, admins, and guests, and streamline the process of mailbox permission management.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps while checking mailbox permission changes in Microsoft 365.

The following are possible errors and troubleshooting hints while auditing mailbox permission changes.

Error: ./AuditMailboxPermissionChanges.ps1 cannot be loaded because running scripts is disabled on this system.

The script encounters this error due to the current execution policy being set to restricted by default, that prevents script execution.

Troubleshooting hint :To resolve this error, you can set the execution policy as RemoteSigned and run the script.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Error: Mailbox Audit Logging is not enabled.

This occurs when auditing has not been enabled for the specific mailbox.

Troubleshooting hint :Use the following cmdlet to activate auditing for the mailbox you encountered issues with.

Set-Mailbox <Display Name> -AuditEnabled $true

Error: Get-OrganizationConfig : The term 'Get-OrganizationConfig' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This issue occurs when you try to run the Exchange Online PowerShell cmdlets with insufficient permissions.

Troubleshooting hint :Please ensure that you possess one of the necessary administrative permissions listed below.

Global Administrator, Security Admin, Security Reader, Global Reader, or Reports Reader

Error: Write-ErrorMessage : |System.ArgumentException|Audit log search argument startDate (03/01/2024 00:00:00) is later than endDate (02/01/2024 00:00:00).

This issue occurs when the end date is earlier than the start date.

Troubleshooting hint :Ensure that the date format is correct and the end date should be ahead of the start date.

Error: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when you try to run the code without connecting to Exchange online.

Troubleshooting hint :First connect to Exchange Online before running the 'Search-UnifiedAuditLog' command.