Tuesday, July 26, 2016

Auditing administrators granting “Full Access” permissions to mailboxes in Exchange 2016

One of the most common questions I’ve been asked by clients is whether there is a way to audit administrators granting Full Access permissions to mailboxes in Exchange and the answer to that is yes because every action made within the Exchange Admin Center or Exchange Management Console can be logged by a feature named Administrator Audit Logging which basically logs every mirror Exchange cmdlet executed that isn’t a Get-.

Enable Administrator Audit Logging

The first step in the process of providing auditing logs is to execute the following cmdlet to ensure that logging is turned on:

Get-AdminAuditLogConfig | FL

image

Notice that the AdminAuditLogEnabled is set to True while the LogLevel is set to Verbose.  If the configuration is set to any other setting, execute the following to change it:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Set-AdminAuditLogConfig -LogLevel Verbose

More information about the Set-AdminAuditLogConfig can found at the following TechNet article: https://technet.microsoft.com/en-us/library/dd298169(v=exchg.160).aspx

Audit Option #1 - Review Admin Audit Log Report

Once administrator audit logging is enabled, we can review the Compliance Management > auditing > Admin Audit Log Report from within the Exchange Admin Center:

image

… configure a Start date and End date to narrow the return results:

image

Then sort the CMDLET column by alphabetical order and look for the cmdlet:

Add-MailboxPermission

or

Remove-MailboxPermission

… to review when and which administrator made the changes:

image

Audit Option #2 – Using PowerShell to search admin audit log

Another method for reviewing the admin audit log is to use PowerShell to search it and the cmdlet that allows us to accomplish this is Search-AdminAuditLog (TechNet: https://technet.microsoft.com/en-us/library/ff459250(v=exchg.160).aspx). The following cmdlets searches for either Add or Remove of mailbox permissions:

Search-AdminAuditLog -cmdlets Add-MailboxPermission

Search-AdminAuditLog -cmdlets Remove-MailboxPermission

image

Note that executing Search-AdminAuditLog without any parameters will only parse through 1,000 entries which may not cover a wide range of days so to ensure that specific dates are covered, include the StartDate and EndDate switches as such:

Search-AdminAuditLog -cmdlets Add-MailboxPermission -StartDate 01/24/2016 –EndDate 07/26/2016

image

Audit Option #3 - Review Admin Audit Log Report

The last option available is to review the event logs Applications and Services Logs > MSExchange Management logs in the Event Viewer:

image

Simply right click on MSExchange Management select Find…:

image

Then search for Add-MailboxPermission:

image

image

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Hope this helps anyone out there looking for a way to audit actions performed within Exchange.

No comments: