Detections
Analytics

5.2 Ensure mailbox auditing for all users is Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

Rationale:

Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes. However, only certain mailbox types support default auditing On

User Mailboxes

Shared Mailboxes

Microsoft 365 Group Mailboxes

The remaining mailbox types require auditing be turned on at the mailbox level:

Resource Mailboxes

Public Folder Mailboxes

DiscoverySearch Mailbox

Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.

NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To enable mailbox auditing for all users, use the Exchange Online PowerShell Module:

Run Microsoft Exchange Online PowerShell Module.

Connect using Connect-ExchangeOnline.

Run the following PowerShell commands:

$AuditAdmin = @('Copy', 'Create', 'FolderBind', 'HardDelete', 'MessageBind', 'Move', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update', 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules')

$AuditDelegate = @('Create', 'FolderBind', 'HardDelete', 'Move', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf', 'SoftDelete', 'Update', 'UpdateFolderPermissions', 'UpdateInboxRules')

$AdminOwner = @('Create', 'HardDelete', 'MailboxLogin', 'Move', 'MoveToDeletedItems', 'SoftDelete', 'Update', 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules')

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate -AuditOwner $AuditOwner

Default Value:

Only certain mailbox types support default auditing On:

User Mailboxes

Shared Mailboxes

Microsoft 365 Group Mailboxes

The remaining mailbox types require auditing be turned on at the mailbox level:

Resource Mailboxes

Public Folder Mailboxes

DiscoverySearch Mailbox

See Also

https://workbench.cisecurity.org/files/4073

Item Details

References: CSCv7|6.2

Plugin: microsoft_azure

Control ID: 4df8509477929117f30a6377663d6c4da43d7ccb677c5978bfbf6cb9637d5bf6