Information
Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.
Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.
The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.
Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only.
Rationale:
Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.
The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox
Note: Without advanced auditing (E5 function) the logs are limited to 90 days.
Impact:
None - this is the default behavior.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To enable mailbox auditing for all user mailboxes using PowerShell:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell script:
$AuditAdmin = @(
'ApplyRecord', 'Copy', 'Create', 'FolderBind', 'HardDelete', 'Move',
'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update',
'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules'
)
$AuditDelegate = @(
'ApplyRecord', 'Create', 'FolderBind', 'HardDelete', 'Move',
'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update',
'UpdateFolderPermissions', 'UpdateInboxRules'
)
$AuditOwner = @(
'ApplyRecord', 'Create', 'HardDelete', 'MailboxLogin', 'Move',
'MoveToDeletedItems', 'SoftDelete', 'Update', 'UpdateCalendarDelegation',
'UpdateFolderPermissions', 'UpdateInboxRules'
)
$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq 'UserMailbox' }
$MBX | Set-Mailbox -AuditEnabled $true '
-AuditLogAgeLimit 90 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate '
-AuditOwner $AuditOwner
Default Value:
AuditEnabled: True for all mailboxes except below:
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox
AuditAdmin: ApplyRecord, Create, HardDelete, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules
AuditDelegate: ApplyRecord, Create, HardDelete, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules
AuditOwner: ApplyRecord, HardDelete, MoveToDeletedItems, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules