Check Mailbox Audit Configurations to Make Sure that New Audit Events are Ingested into Audit Log
Last October, I wrote about Microsoft’s glacial progress in making important audit events used for forensic investigations available to customers with Purview Audit standard licenses. This followed a July 19 statement where Microsoft agreed to expose the audit events to audit log searches run by Purview Audit standard customers and to extend the retention period for audit events from 90 to 180 days. Nothing seems to move quickly in the world of auditing. Perhaps they need a Copilot to help?
The good news is that a May 20 post in the Microsoft technical community post says that the long-anticipated delivery of 19 new audit events are coming in public preview. Once the update reaches your tenant (looks like June 2024 according to the Microsoft 365 roadmap), you should see these events turn up for accounts with Purview Audit standard licenses in the results of audit log searches run through the Purview portal, the Search-UnifiedAuditLog cmdlet, or the AuditLogQuery Graph API.
Searching for the New Audit Events
Here’s an example of using the Search-UnifiedAuditLog cmdlet to search the audit log for some of the new events. Note that I use the SessionCommand parameter to make sure that all results are returned (necessary after an unannounced and unexplained change made by Microsoft last year). Sorting the results by identity removes duplicates:
[array]$Records = Search-UnifiedAuditLog -Operations MailItemsAccessed, Send, messageSent -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date).AddDays(-1) -ResultSize 5000 -Formatted -SessionCommand ReturnLargeSet $Records = $Records | Sort-Object Identity -Unique $Records | Group Operations -Noelement | select name, count Name Count ---- ----- MailItemsAccessed 1792 MessageSent 61 Send 49
You could get the same results by running a high completeness search, but you’d wait much longer for the output (if the search doesn’t hit an internal server error as in Figure 1). In Microsoft’s defense, high completeness searches are a preview feature.
The Question of Exchange Mailbox Logging
What’s interesting from Microsoft’s announcement is that the Send and MailItemsAccessed events are added automatically to the set of events captured for mailboxes UNLESS you’ve updated the audit configuration for a mailbox. In other words, Microsoft doesn’t attempt to update custom mailbox audit configurations.
I guess I understand the logic. If administrators changed mailbox audit configurations, they presumably do so for good reason and Microsoft doesn’t want to mess with that configuration. On the other hand, an arguable case exists that these events are so important that they should be added to the audit configuration for all mailboxes.
Updating the Mailbox Audit Configuration for New Audit Events
Microsoft suggests two options: revert mailboxes to the default audit configuration or update mailbox audit configurations to add the new events. I suggest that the latter is the better option. Here’s some code I used to update mailboxes in my tenant. The script uses the Get-MgUser cmdlet from the Microsoft Graph PowerShell SDK to find accounts with Office 365 E3 licenses (including Purview Audit standard).
For each mailbox, the script:
- Checks to see if the default audit set for owner actions is present. If it is, we don’t need to update the audit configuration because Microsoft will add the new events to the default set.
- Checks the audit configuration for owner actions to see if the set includes MailItemsAccessed. If not, update the configuration for the owner and delegate sets.
- Checks the audit configuration for owner actions to see if the set includes the Send action. If not, update the owner set.
- Runs Set-Mailbox to enable the updated audit configuration. I have no idea why Microsoft insists that this needs to be done manually for Purview Audit standard. It isn’t required for mailboxes with Purview Audit (Premium) licenses.
Connect-MgGraph -NoWelcome -Scopes User.Read.All
Connect-ExchangeOnline
[array]$Users = Get-MgUser -filter "assignedLicenses/any(s:s/skuId eq 6fd2c87f-b296-42f0-b197-1e91e994b900)" -All | Sort-Object DisplayName
[int]$Updates = 0
ForEach ($User in $Users) {
# See if the mailbox uses the default audit set
Write-Host ("Checking mailbox audit configuration for {0}" -f $User.displayName)
[array]$DefaultAuditSet = (Get-Mailbox -Identity $User.UserPrincipalName).DefaultAuditSet
If ("Owner" -notin $DefaultAuditSet) {
# There's a non-default owner audit configuration, so let's update the custom set
[array]$AuditConfiguration = (Get-Mailbox -Identity $User.userPrincipalName).AuditOwner
If ("MailItemsAccessed" -notIn $AuditConfiguration) {
Write-Host ("Updating mailbox audit configuration for {0}" -f $User.displayName) -ForegroundColor Yellow
Set-Mailbox -Identity $User.UserPrincipalName -AuditOwner @{Add="MailItemsAccessed"} -AuditDelegate @{Add="MailItemsAccessed"} -ErrorAction SilentlyContinue
$Updates++
}
If ("Send" -notIn $AuditConfiguration) {
Set-Mailbox -Identity $User.UserPrincipalName -AuditOwner @{Add="Send"} -ErrorAction SilentlyContinue
}
# Make sure that the new audit configuration is enabled
Set-Mailbox -Identity $User.UserPrincipalName -AuditEnabled $true -WarningAction SilentlyContinue
}
}
Write-Host ("All done. {0} of {1} mailboxes updated" -f $Updates, $Users.Count)
New Audit Events are A Step Forward
It’s good that Microsoft has finally deployed the new audit events. It’s not so good that tenant administrators need to intervene to ensure that mailbox audit configurations are correctly set up. Further details are available in Microsoft’s documentation.
Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
]]>