On May 19, Microsoft disclosed that a problem had stopped audit events being generated when people used the Exchange SendAs and SendOnBehalfOf permissions to send email for other mailboxes. Microsoft says that the problem is now fixed, but as it turns out, some issues still exist with capturing audit records for SendAs events.
I’ve written many articles to explain how to use the Office 365 audit log to report different aspects of the platform. But taking action is much better than just reporting. In this post, we explain how to take a report generated from the Office 365 audit log and use it to drive some actions. In this case, removing the SendAs permission from people who aren’t using it.
The SendAs audit event is logged when someone uses the send as permission to send a message from an Exchange Online mailbox. The events are stored in the Office 365 audit log and can be found there with an audit log search. However, things aren’t as straightforward as they are on-premises because some other types of delegated messages turn up in searches. Fortunately, we have a script to help.
Outlook Mobile now supports delegate access to Exchange Online mailboxes. By granting fuil access to a delegate, they can open and work with a mailbox, and send messages using the SendAS or SendOnBehalfOf permissions. The new feature underscores the advantage Outlook mobile enjoys over other mobile Office 365 email clients.
Exchange administrators are accustomed to looking through mailbox audit logs to find details of events. Those same events are in the Office 365 audit log, so that’s the place to go look for information, like when you want to find out who sent a message from a shared mailbox using the SendAs permission.