23 C
Dubai
Saturday, November 23, 2024

How to run a Non-owner mailbox access report in Exchange server/Office365 for audit purposes.

First select the mailboxes you want to enable auditing.

Note: To run non-owner Mailbox access report . Auditing has to be enabled in advance to capture the behaviour of the user mailboxes.

Get-Mailbox *careexchange.in | Set-Mailbox -AuditEnabled:$true

image

Logging into EAC (Exchange Admin Center) – Compliance Management – Auditing

Click on Run a owner mailbox access report.

image

Choose the mailboxes you want to audit –

image

image

Click on Search. Now you can see if any unauthorised access has been made. it will be showing up .

In my case – Archiving server is using a impersonated account to pull all the email items from the mailboxes.

image

Now to export the same report you need to do few changes in attachment settings as report is generated in the form of XML which is blocked by default.

image

To see the Allowed Files list –

Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes | export-csv C:\Extensions.txt

To see the Blocked Files list –

Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes | export-csv C:\BlockedExtensions.txt

If export-csv doesn’t work After Allowedfiletypes use >C:\Extensions.txt

image

Opening the Blockedextensions.txt i could see the .xml

image

Checking Which is the OWA maibox policy assigned on the mailboxes where it needs to receive the report.

Get-CASMailbox Testuser* | Fl *owa*

Now i got the owamailboxpolicy name.

image

Adding the .xml in the allowed file types –

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}

Removing the .xml from the allowed file types –

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}

Now you can receive the Auditing report as below –

image

These logs are stored in the dumpster of the mailbox itself. so it will be archived after 90 days as a default retention limit.

image

Mailbox Audit Log Search ‘Search20150817{68bc4b0a-a58d-47b9-a289-3bf198fd4024}’ Requested by Satheshwaran Manoharan Completed Successfully Search Criteria: StartDate Utc: 7/31/2015 8:00:00 PM EndDate Utc: 8/17/2015 8:00:00 PM Mailboxes: LogonTypes: Admin, Delegate ShowDetails: True  ExternalAccess: Search request was submitted around 8/17/2015 1:54:44 PM Utc. Don’t reply to this email message. It was sent from an unmonitored account.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

1 COMMENT

  1. Hi Sathesh,

    I am performing run a non-owner mailbox access report on Office 365 portal.
    However, no results found yet.
    User had stated, one of the folder is missing from his Outlook and second user has access on first user mailbox.
    Auditing is already enabled for both the mailbox.

    Does it takes any time to replicate in portal as I cannot find any logs.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?