Settings for Non-Owner Mailbox Access Audit: Using Application
To prepare for non-owner mailbox access auditing in the Exchange Online organization, you need to complete several configuration steps: create a Microsoft Entra ID app with the required permissions and configure it to automatically apply the necessary audit settings.
These settings configure the All Exchange Online Non-Owner Mailbox Access Events report. See the Filters topic for additional information.
To start auditing the data for the report, you need to select the Collect non-owner mailbox audit data checkbox when adding the Exchange Online source. See the Add a Source and Connectors for Exchange Onlinetopic for additional information.
Unified audit log must be enabled for a tenant. See the Microsoft Turn auditing on or off article for additional information.
Grant Permissions to the Application
To grant permissions to the Microsoft Entra ID application:
The following steps are for registering an app through the Microsoft Entra admin center. These steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft documentation for additional information.
Step 1 – Go to the Microsoft Entra admin center and create and register a Microsoft Entra ID app. See the
Step 2 – After you created an app, select the newly-created, registered application. If you left the Overview page, it is listed in the Identity > Applications > App registrations > All applications list.
Step 3 – On the registered app blade, click API permissions in the Manage section.
Step 4 – In the top toolbar, click Add a permission.
Step 5 – On the Request API permissions blade, click the APIs your organization uses tab and search for Office 365 Exchange Online.
Step 6 – Click the Office 365 Exchange Online entry in the list of apps found.
Step 7 – Proceed with adding the permissions for this app: select Application permissions and then select Exchange.ManageAsApp.
Step 8 – Click Grant Admin Consent for <tenant>. Then click Yes in the confirmation
window.
The application is granted the required API permissions.
Grant Required Roles
To grant roles to the registered application:
The following steps are for registering an app through the Microsoft Entra admin center. These steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft documentation for additional information.
Step 1 – From the Identity > Roles & admins blade, click > Roles & admins.
Step 2 – Search for the Exchange Administrator or the Global Administrator role.
Step 3 – On the Assignments page, click Add assignments.
Step 4 – In the Add assignments layout, select the created application and click Add.
The application is granted the required roles.
Set Up an Environment
To set up your environment using PowerShell:
Step 1 – Install the Exchange Online PowerShell V2 module.
Ensure you are using the version specified in the related Microsoft article.
Step 2 – Download the PowerShell script for certificate creation, as provided in the Microsoft instruction.
Step 3 – To create a self-signed certificate to be used by the app, run the following command in Powershell:
.\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2020-04-01 -EndDate 2022-04-01
where:
CommonName— specify "Netwrix 1Secure"StartDate— set to current dateEndDate— set to 2 years from now
Step 4 – When prompted to specify a password, click Enter.
Step 5 – Go to Identity > Applications > App registrations > "your app" > Certificates & secrets.
Step 6 – Click Upload certificate and upload the*.crt* file you have just created.
Step 7 – To create Exchange Online connection session, you can provide certificate file path or thumbprint. If you want to use a file path, run the following command in Powershell:
Connect-ExchangeOnline -CertificateFilePath "full_path_to_certificate" -AppID "yourAppId" -Organization "Office365_tenant_name"
Application (client ID) can be found in the Overview page.
For example:
Connect-ExchangeOnline -CertificateFilePath "C:\Path\MyCompanyName1.pfx" -AppId "402b12a2-fb2b-4222-8f54-5596def1" -Organization "myorganization123.onmicrosoft.com"
You can use certificate thumbprint instead of file path. For that, import the certificate to the local certificate store, using the following command in Powershell:
Import-PfxCertificate -FilePath "path_to_pfx_certificate" -CertStoreLocation Cert:\CurrentUser\My
Then run the command in Powershell like following:
Connect-ExchangeOnline -CertificateThumbprint 6AEА5A82911ААА3F76FEE149B7B52А70DDFD88 -AppId a14a 822d-f228-412b-9222-281de23 -Organization myorganization123.onmicrosoft.com
Step 8 – To set up the audit, run the following command in Powershell:
Get-ExoMailbox -PropertySets Minimum -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox | Set-Mailbox -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create
Step 9 – Run the following command in Powershell to end the session:
Disconnect-ExchangeOnline -Confim:$False
To automate steps 8-9, you can create a script comprising the corresponding commands and schedule its launch.