Office 365 Audit Records Reveal Interesting Events
Over the last few days, I’ve noticed records being generated in the Office 365 audit log for an account called BOXServiceAccount. You can see an example above. The audit records are matched by alert policies (managed through the Security and Compliance Center) that cause email to be sent to my account when events that might need investigation occur. In this case, a use of Exchange Online administrative permission by an account.
A quick internet search turned up this Microsoft support article, which throws some light on the subject. Although the wording is odd (for example, “BOXServiceAccount is added to a role” is more likely “BOXServiceAccount is used to add an account to a role.”), the intent is clear. BOXServiceAccount is a system account used behind the scenes to carry out tasks within Office 365. A discussion in the Microsoft Technical Community from April 2018 and another in the Microsoft Answers forum from June 2017 provided some extra insight. Clearly, I haven’t been paying attention.
In this case, it seems like BOXServiceAccount comes into play when an administrator assigns another user one of the custom administrative roles through the Office 365 Admin Center. I assume the reason why a system account is used in this manner is that the administrator who assigns someone a role might not have the permission to add that account to the Azure Active Directory role groups which underpin the administrative roles.
Azure Active Directory Role Groups
To see the role groups defined in your tenant, run the Get-AzureADDirectoryRole cmdlet (from the Azure AD PowerShell V2 module).
Get-AzureADDirectoryRole ObjectId DisplayName Description -------- ----------- ----------- 07308ce7-381b-4fb1-b31e-398b8a66c946 Billing Administrator Can perform common billing related tasks like updating payme... 0f3a91cd-4fdd-436e-97ed-f2a01b19bfe2 User Account Administrator Can manage all aspects of users and groups, including resett... 1402c923-f478-4a9c-82b1-0511726c43bd Customer LockBox Access Approver Can approve Microsoft support requests to access customer or... 268030c9-556f-47a6-a167-5970cb734558 Device Administrators Device Administrators 36333bfe-4ff2-452a-a4a0-d11a668b44c7 Company Administrator Can manage all aspects of Azure AD and Microsoft services th... 387f95ae-e47f-4156-b5d3-2d9150fdea7e Directory Readers Can read basic directory information. For granting access to... 432e4ce3-ed50-4406-aeb6-1794283ad211 Lync Service Administrator Can manage all aspects of the Skype for Business product. 4e0cabe2-fe25-49e1-8538-61a8b8422517 Reports Reader Can read sign-in and audit reports. 53add08e-5b0c-4276-a582-9ce02fb6c947 Exchange Service Administrator Can manage all aspects of the Exchange product. 57122a2b-cd95-4370-a84b-4e90ec8e722a Service Support Administrator Can read service health information and manage support tickets. 64503181-13d0-4ef6-8ee2-a08a7b690168 Power BI Service Administrator Can manage all aspects of the Power BI product. 7ae4b349-1f17-429c-8795-dcc56096c0c7 Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Admi... 88b6939a-ef4b-4e8e-9aba-00f4f8447e66 Compliance Administrator Can read and manage compliance configuration and reports in ... c7ba418f-9d1e-4bd2-b770-dba1cbc2c336 Directory Writers Can read and write basic directory information. For granting... f35c2f36-b60d-4b17-b261-0de8af7da552 SharePoint Service Administrator Can manage all aspects of the SharePoint service
The Lync Service Administrator listed is just an old display name. It equates to what you see as the Skype for Business Online Administrator when viewed through the Office 365 Admin Center. To see the current accounts assigned a role, run the Get-AzureADDirectoryRoleMember cmdlet and pass the object identifier of the role you want to examine.
Get-AzureADDirectoryRoleMember -ObjectId "f35c2f36-b60d-4b17-b261-0de8af7da552" ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- d44088a5-a5ea-47af-b724-cffb12c6ed3e Paul Smith Paul.Smith@office365itpros.com Member d446f6d7-5728-44f8-9eac-71adb354fc89 James Abrahams James.Abrahams@office365itpros.com Member 67105a51-e817-493e-8094-f600babf5f62 Marc Vigneau Marc.Vigneau@office365itpros.com Member
No Mystery – Move Along Please
So, apart from its odd name, there’s no mystery about BOXServiceAccount. It’s just one of the system accounts used by Office 365 to get work done. There’s nothing wrong with using accounts like this because system accounts have been used for years for different purposes, such as updating your Exchange Online configuration to match standards set by Office 365.
But what’s wrong is that Microsoft has never communicated the reason why BOXServiceAccount exists and how it is used. A note in the Message Center in the Office 365 Admin Center wouldn’t have gone amiss, well before administrators began to see the interesting audit events turn up in their Office 365 audit log. Maybe I missed that too.
For more information about custom Administrative roles, see Chapter 4 of the Office 365 for IT Pros eBook. And of course, you can have a great time reviewing the many interesting facts to be found in the Office 365 audit log in Chapter 21. And activity alerts and alert policies are covered in Chapter 21 too, just in case you don’t feel like browsing the audit log daily.
In our case, one of our users was added to the Sharepoint Administrator role and then this alert popped up and see that same user also got automatically added to the View-Only Organization Management Role in Exchange. What is not clear is whether the user will get automatically removed from the Exchange role when the sharepoint role is removed.
It’s easy to test…