Export Non-owner Mailbox Access Report to CSV

Since mailboxes have sensitive data, granting access permission to multiple users increases the risk of a security breach. You can use the audit log to detect and prevent such security vulnerabilities. Using the audit log, you can track who has accessed the mailbox and what actions are performed by them. 

In some organizations/tenants, mailbox auditing is not enabled by default. So, you need to enable mailbox auditing. Else you will end up with empty audit records. 

Note: The default audited actions are sufficient for most organizations. But, if you determine they aren’t, you need to configure it manually. You can use PowerShell script to enable mailbox auditing for all mailbox actions. 

 

How to Detect Who Accessed Another User’s Mailbox? 

The Office 365 non-owner mailbox access report lists the mailboxes that have been accessed by someone who is not an owner of the mailbox. You can get who has permissions on others’ mailboxes by using a non-owner mailbox permission report. 

You can use the Exchange Admin Center (EAC) to run a non-owner mailbox access report, but you can’t export them, and you need to click each mailbox to view their non-owner access. This is where PowerShell gets into the play. But, getting all audit logs and analyzing them is a difficult task. Don’t worry! Let me help you! 

I have created a PowerShell script to export Office 365 Non-owner mailbox report to CSV. 

 

Export Non-Owner Mailbox Access Report Using PowerShell: 

The Non-owner access report shows the actions performed by administrators and delegates. The report provides following information. 

  1. List of mailboxes accessed by non-owner,  
  2. Who accessed the mailbox and when, 
  3. Actions performed by the non-owner,
  4. Result whether the action is succeeded or failed.

 

You can Download the script from TechNet gallery 

 

Script Highlights: 

  • Allows you to filter out external users’ access. 
  • The script can be executed with MFA enabled account too. 
  • Exports the report to CSV 
  • This script is scheduler friendly. I.e., credentials can be passed as a parameter instead of saving inside the script. 
  • You can narrow down the audit search for a specific date range. 

 

Sample Output – Office 365 Non-Owner Mailbox Access Report: 

The exported report contains following attributes: Access Time, Logon Type, Accessed by(Non-owner), Performed Operation, Accessed Mailbox(Delegated Mailbox), Result and the External Access.

Non-owner mailbox access report

 

Script Execution: 

The script can be executed with both MFA enabled account and non-MFA account. You can choose any one of the below methods based on the account type.

Export Non-Owner Mailbox Access Report: 

For non-MFA accounts, run the script as follows. 

By default, the script excludes External user access. I.e., system-generated events. 

 

Export Non-Owner Mailbox Access Report with MFA: 

To audit non-owner mailbox accesses with MFA enabled account, execute the script with –MFA switch. 

To know more about how to connect exchange online PowerShell with MFA, refer to our blog: Connect to Exchange Online PowerShell with MFA. 

 

More Use-cases of ‘Non-Owner Mailbox Access Report’ Script: 

Audit Non-Owner Mailbox Access Report for Past 90 Days: 

By default, the script audits non-owner mailbox access for the past 90 days. To export Office 365 non-owner mailbox auditing report for the last 90 days, run the script as follows. 

 

Export Non-Owner Mailbox Access Report within a Given Interval: 

To export office 365 delegate access report for a specific period, execute the script with StartDate and –EndDate params. 

The date should be formed as MM/DD/YY. The above script will export non-owner mailbox access from Jan 15, 2020, to Jan 30, 2020. 

 

Audit Mailbox Access by Delegates and Admins: 

In general, non-Owner mailbox access includes administrators, delegates, and external users. In Exchange Online, external users refer the access by Microsoft datacenter administrator.  

To export mailbox access by delegates and admins (excludes external users), run the script as follows. 

 

Export Non-Owner Mailbox Activity Report including External Access: 

You can export all non-owner accesses that performed by admins and delegated users inside the organization and access by external users (Microsoft datacenter administrator in Exchange Online). 

To audit non-owner mailbox access with external users’ activity, run the script with IncludeExternalAccess param set to $True. 

 

Schedule Non-Owner Mailbox Activity Report: 

Since Search-UnifiedAuditLog has the past 90 days of data, you may require old audit logs for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days. 

You can schedule a non-owner mailbox action report in Task Scheduler. If you schedule the script to run once in 90 days, you can audit non-owner mailbox access at any time you want. So, you can store years of audit logs further analysis. 

You can use Task Scheduler to run the PowerShell script. 

 

I hope this blog will help you to detect who accessed another user’s mailbox and identify accidental or malicious operations performed by non-owner. This report will help you with compliance and litigation requirement.