After customer suggestion and feedback Microsoft have decided to make Exchange Online store mailbox audits for all user mailboxes by default. The default audit configuration will change and include more audit events.
Why are Microsoft doing this?
These changes are a part of Microsoft’s plan to improve security tooling available to customers to ensure customers have access to important audit data so they can investigate security incidents when needed.
Enabling this feature by default addresses a pain-point plan with the current mailbox audit administration, Exchange administrators must configure the AuditEnabled setting on each mailbox to be audited after its created; certainly for bigger customers this is a very tedious task. This feature allows all of this to be done automatically tenant-wide. Any kind of mailbox event will be stored on the users mailboxes automatically without having to have user input.
Furthermore Microsoft also plan to introduce more audit actions to include more of the currently available Owner and Delegate options. If the mailbox configurations rely on the default settings for the AuditOwner, AuditDelegate and Auidt Admin options the mailboxes will begin to audit with the updated defaults. If the organisations Exchange administrator has configured mailboxes in the past with a different set of events then these will not be overwritten.
When will this change come into place and do I need to do anything?
Microsoft plan to roll this out in the next few months and this will require no user input, Microsoft will do all of the work in the background.
How do I opt out of this feature?
Mailbox auditing for owner actions includes important scenarios to investigating compromised email accounts such as:
- MailboxLogin events – these events are recorded with client access to user mailboxes.
- mail actions to Create and edit messages in any folders, delete actions to include moving a message to the Deleted Items folder or permanently removing messages and the copy or move of a mailbox.
- Actions that are commonly used in attacks, creation of a mailbox’s Inbox Rule, adding delegates or delegating Calendar access to other users.
How do I disable Auditing for my organisations Mailboxes?
This can be easily done with a quick command:
Set-OrganizationConfig -AuitDisabled $True
To reverse this and enable mailbox audits run:
Set-OrganisationConfig -AuditDisabled $false