How to Detect Who Modified Mailbox Permissions in Exchange Online

These days is very important to protect sensitive mailbox content and prevent data leakage, organizations need to continuously monitor mailbox permission changes and be able to quickly determine what permissions were modified and by whom. Anyone who gets mailbox permissions in Exchange Online gains access to all the contents of that mailbox. Once you have such level of permissions, you can read messages, change or delete items, move content to another location, distribute it and more — without the mailbox owner even being aware of these actions. Therefore auditing is very important and should be performed often to make sure that the information is protected and you do not have users abusing permissions.

Here are steps to run audit and detect who modified Mailbox permissions in Exchange online:

  1. Open Exchange Administrative Console in browser → Navigate to “Compliance management” → Choose “Auditing” → Choose “Run the admin audit log report…”
  2. Choose a start date and end date → Click “Search“. You will see all configuration changes made during the specified time period.
  3. Sort the list by cmdlet and find “Add-MailboxPermission” one → Click on it for details
  4. You will see who changed permissions (“User“), which mailbox permissions were changed and how (“Parameters”).

Continuously monitor Mailbox permissions to timely detect Unauthorized changes.


Leave a Reply