Permissions to a mailbox in Exchange Online can be assigned via the Exchange Admin Center or the Exchange Online PowerShell console. Access Rights details the type of permission users or groups have on a mailbox.
Requirement: Exchange Online Data Source
The below search filters can be used to view activity around ‘Access Rights’ events. This should allow you to view activity related to when Access Rights are added, removed or modified on mailbox objects. This can be useful to gain insight into who has been given access to a mailbox, what type of access they’ve been granted and who performed the action.
The important part is to remember to use “Contains” if you use “Equals” this will decrease the number of matching events and potentially exclude data.
Search Filters Explained
By specifying the ‘Exchange Online’ data source we are filtering out events from other data sources which are not related to our search.
- Data Source | Equals | Exchange Online
The Access Rights filter Allows us to view events related to ‘Full Access’, ‘Send as’ and ‘Send on Behalf’ access rights activity.
- Detail | Contains | Access Rights
Additional information about each permission is included in the below learn Microsoft article.
Activity that matches the search filters should populate within our search results. This should allow us to build secondary filters and view additional data around the Access Right events. The below guide should assist you in ‘reading’ the matching event fields.
Search Result Event fields
○ What
- Shows the mailbox object access rights were modified on.
○ Details
- Should show the user or application that was granted access rights. This should look something like the results below, which indicate a user was added with ‘Full Access’ to a mailbox.
Access Rights: - Added: "User or identifier"(FullAccess)
○ Who
- Person or Service account under which the change was made.
Related Reports
We do have a handful of ‘Out-Of-The-Box’ reports that can display relevant information regarding this use case. These reports can be found within the ‘Exchange Online’ reports folder.
- Activity Report: Exchange Online Mailbox Permission Changes
- State-In-Time Report: Mailbox Non-Owner Permission Details
- State-In-Time Report: User Permissions on Delegated Mailboxes
Next Steps
We can use the ‘Tools’ menu on the top right-hand corner to access additional options we have with our search fields. These options include,
○ Create an Alert
- This can allow you to receive a notification for each potential Access Right event. I would recommend enabling the alert before adding any recipients at first. This will allow you to track each time the alert is ‘Triggered’ without sending out notifications.
○ Create a Subscription
- Helpful if you would like to receive a summary of matching events. This can be sent via email or uploaded directly to a file share.
○ Export Data
- Allows you to export your search results as a .PDF or .CSV file.
If you have any questions, please let me know.
-Happy Auditing