How to Detect Who Modified Mailbox Permissions in Exchange Online

Native Auditing vs. Netwrix Auditor for Exchange
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Exchange
Native Auditing
Netwrix Auditor for Exchange
Steps
  1. Open Exchange Administrative Console in Internet Explorer → Navigate to "Compliance management"→ Click on "Auditing" → Select "Run the admin audit log report".
  2. To see all configuration changes made during the specified period, fill out the start date and the end date fields → Click "Search".
  3. Sort the list by cmdlet and find the "Add-MailboxPermission" cmdlet → Click on it for details.
  4. To find out who changed permissions, refer to the "User" section. To find out which mailbox permissions were changed and how, refer to the "Parameters" section.
Monitoring mailbox permissions changes using Exchange Administrative Console report
  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "Data source"
      Operator = "Equals"
      Value = "Exchange Online"
    • Filter = "Details"
      Operator = "Contains"
      Value = "Access Rights"
  2. Click the "Search" button and review what changes were made to access rights.
Monitoring mailbox permissions changes using Netwrix Auditor Report
Learn more about Netwrix Auditor for Exchange

Keep an Eye on Permissions Changes in Exchange Online to Mitigate the Risk of Security Breach

Anyone who gets mailbox permissions in Exchange Online gains access to all the contents of that mailbox. They can read messages, change or delete items, move content to another location, distribute it and more — without the mailbox owner even being aware of these actions. Therefore, to protect sensitive mailbox content and prevent data leakage, organizations need to continuously monitor mailbox permission changes and be able to quickly determine what permissions were modified and by whom. 

Netwrix Auditor for Exchange delivers complete visibility into hybrid cloud IT environments, including mailbox permission changes and data access in on-premises Exchange and Exchange Online. The solution informs about every change, improving Office 365 and Exchange Server email security. With Netwrix Auditor Interactive Search feature, IT pros can determine in minutes which mailbox permissions were modified, who set new mailbox permissions, and when each change happened — mitigating the risk of data leaks.

Related How-tos
How to Detect Who Created a User Account in Active Directory How to Detect Who Was Accessing Shared Mailbox in Office 365 How to Detect Who Changed a File or Folder Owner How to Detect Who Deleted a User Account in Active Directory How to Stay on Top of Permissions Changes to Public Folders in Exchange Online How to Get AD User Group Membership with or without PowerShell