Information
When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access, or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts.
Ensure AuditBypassEnabled is not enabled on accounts without a written exception.
Rationale:
If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions.
Enabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics.
Impact:
None - this is the default behavior.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Disable Audit Bypass on all mailboxes using PowerShell:
Connect to Exchange Online using Connect-ExchangeOnline.
The following example PowerShell script will disable AuditBypass for all mailboxes which currently have it enabled:
# Get mailboxes with AuditBypassEnabled set to $true
$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
foreach ($mailbox in $MBXAudit) {
$mailboxName = $mailbox.Name
Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false
Write-Host 'Audit Bypass disabled for mailbox Identity: $mailboxName' -ForegroundColor Green
}
Default Value:
AuditBypassEnabled False