Settings for non-owner mailbox access audit: automatic configuration

To prepare for non-owner mailbox access auditing in the Exchange Online organization, you will need to take several configuration steps, creating an Azure AD app with the required permissions and instructing this app to automatically apply the necessary audit settings.

Do the following:

  1. Install the Exchange Online PowerShell V2 module.
  2. IMPORTANT! Make sure you are using the version specified in the related Microsoft article.

  3. In the Azure AD admin center, create and register an Azure AD app, as described in the related section of this Microsoft article.
  4. At the top of the Request API permissions pane, click the APIs my organization uses tab and search for Office 365 Exchange Online.

  5. Click on the Office 365 Exchange Online entry in the list of apps found.

  6. Proceed with adding the permissions for this app: select Application permissions and then select Exchange.ManageAsApp.
  7. Grant admin consent to the tenant (that is, for the Office 365 organization whose audit data will be collected by the newly registered app). Go to the new app settings > API permissions and click Grant admin consent for<tenant name>. When prompted to confirm granting, click Yes.
  8. Go to Azure Active DirectoryRoles and administrators and assign Exchange Administrator role.

  9. Download the PowerShell script for certificate creation, as provided in the Microsoft instruction.

  10. To create a self-signed certificate to be used by the app, run the following command: .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2020-04-01 -EndDate 2022-04-01


    CommonName — specify "Netwrix Auditor"

    StartDate — set to current date

    EndDate — set to 2 years from now

    When prompted to specify a password, click Enter.

  11. Go to Manage > Certificates & secrets, click Upload certificate and upload the.crt file you have just created.

  12. To create Exchange Online connection session, you can provide certificate file path or thumbprint. If you want to use a file path, run the following command:
    Connect-ExchangeOnline -CertificateFilePath "full_path_to_certificate" -AppID "yourAppId" -Organization "Office365_tenant_name"

    Application (client ID) can be found in the Overview page.

    For example:

    Connect-ExchangeOnline -CertificateFilePath "C:\Path\MyCompanyName1.pfx" -AppId "402b12a2-fb2b-4222-8f54-5596def1" -Organization ""

    You can use certificate thumbprint instead of file path. For that, import the certificate to the local certificate store, using the following command:

    Import-PfxCertificate -FilePath "path_to_pfx_certificate" -CertStoreLocation Cert:\CurrentUser\My

    Then run the command like following:
    Connect-ExchangeOnline -CertificateThumbprint 6AEА5A82911ААА3F76FEE149B7B52А70DDFD88 -AppId a14a 822d-f228-412b-9222-281de23 -Organization

  13. To set up the audit, run the following command:
    Get-ExoMailbox -PropertySets Minimum -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox | Set-Mailbox -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create
  14. Finally, run the following command to end the session: Disconnect-ExchangeOnline -Confim:$false

TIP: To automate steps 12-14, you can create a a script comprising the corresponding commands and schedule its launch.