Enhancing your Auditing for Office 365

Quest Software released Change Auditor 6.9 which allows you to audit changes in both Azure Active Directory and Office 365.  There is a lot of auditing you can do with native tools, but you should be aware of some of the limitations.

PowerShell

To setup auditing of a lot of the operations in Office 365 requires the use of PowerShell to enable the auditing.  As an example, let’s say you want to audit non-owner mailbox activity across all users in your organization.  This could be scripted, however, your environment may add new users every day.  You would need to execute this script against every mailbox that you want to have this auditing for.  With Quest Change Auditor, you setup the auditing one time and as more mailboxes are added, Change Auditor will automatically start auditing the non-owner mailbox activity for those mailboxes for you (NO PowerShell expertise required).

Correlation

Typically when a request is made to identify what someone has done (or what has been done to an account) the person originating the request doesn’t care if the change was made on premise or in the cloud.  With Quest Change Auditor you can specify a person and retrieve all changes made both on premise and in the cloud.

 

Figure 1- Here I can see all the changes the BPatton account has made both on premise and in the cloud.  This example was made on object in Office 365 to add permission to another user’s mailbox.

 

Audit History

To view audit data natively you can go to login.microsoftonline.com and if you have the appropriate rights you can login and under the “Search & investigation” section.  This data is retrievable for 90 days.  If you are wanting to see who changed mailbox permissions outside of that window you will be unable to get that information.  Also, there is not an easy way to report on a specific mailbox and show the changes to that object if you are doing an investigation.

 

Figure 2- This is how you can retrieve audit data from Office 365 natively.  You can search off a user that has made a change, but not easily able to report off a specific mailbox to identify what users made a change to a specific mailbox and would have to manually parse through the logs.

Figure 3- I can select the mailbox in the search criteria.

Figure 4- I sorted Change Auditor to show the user that made a change and the changes they have made.

 

With Change Auditor you have the ability to store all the data you have collected and determine your own retention period.  I’d recommend using Change Auditor immediately when going to Office 365 so you can maintain the complete auditor history of what changes have been made and by who while your environment is still in pristine condition.

If you would like to get more information on how to collect some of this data natively, feel free to check out this archived training from Randy Franklin Smith (https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1399).  In this I also show how to do some of the items just discussed with Quest Change Auditor.

About the Author
Bryan.Patton
Bryan Patton is a Principal Strategic Systems Consultant with technical knowledge in the entire Quest portfolio. He started at Quest in January of 2002.