ASD's Blueprint for Secure Cloud

Mailbox Auditing

This section describes the design decisions associated with Exchange Online for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Mailbox Auditing provides visibility into the access and modification of user mailboxes by owners, delegates, and administrators. Once enabled on a user’s mailbox, activities subject to audit appear within the Office 365 audit log. This information is then available for security teams to analyse. It is recommended that this audit log be exported to a centralised logging service.

Once enabled on a user’s mailbox, the activities subject to audit appear within the Office 365 audit log. This information is then available for security to review and run analysis. It is recommended that this audit log be exported to a centralised logging service. The Microsoft Purview Audit (Premium) service requires the “Microsoft 365 Advanced Auditing” license allocated to each user in the tenant.

Security Operations teams may have a requirement that all Exchange Online (EXO) mailboxes be audited and additionally have the ability to capture, store and audit all emails sent internally within the environment and additionally in and out of the organisations email environment.

Cloud native deployments

Within cloud native deployments, the option to capture all emails for Security Operations is limited as Exchange Online mailboxes cannot be used as a journaling mailbox. To meet possible organisation security team requirements, an alternative option is use of Exchange Online Transport Rules and a shared Exchange Online mailbox. The Transport Rules will copy all internal, inbound, and outbound emails to the shared mailbox, which is restricted to members of an Entra ID Security Group.

Hybrid deployments

Journaling within hybrid deployments is accomplished using Exchange Journaling. See (/design/shared-services/exchange-online/journaling.md).

Mailbox Auditing configuration

ConfigurationValueDescription
User Mailbox and Shared Mailbox Audit Configuration
Admin Audited ActionsApplyRecord
Copy
Create
FolderBind
HardDelete
MessageBind
Move
MoveToDeletedItems
RecordDelete
SendAs
SendOnBehalf
SoftDelete
Update
UpdateCalendarDelegation
UpdateFolderPermissions
UpdateInboxRules
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.
Delegate Audited ActionsApplyRecord
Create
FolderBind
HardDelete
Move
MoveToDeletedItems
RecordDelete
SendAs
SendOnBehalf
SoftDelete
Update
UpdateFolderPermissions
UpdateInboxRules
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.
Owner Audited ActionsApplyRecord
Create
HardDelete
MailboxLogin
Move
MoveToDeletedItems
RecordDelete
SoftDelete
Update
UpdateCalendarDelegation
UpdateFolderPermissions
UpdateInboxRules
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.
Office 365 Group Mailbox Audit Configuration
Admin Audited ActionsCreate
HardDelete
MoveToDeletedItems
SendAs
SendOnBehalf
SoftDelete
Update
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.
Delegate Audited ActionsCreate
HardDelete
MoveToDeletedItems
SendAs
SendOnBehalf
SoftDelete
Update
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.
Owner Audited ActionsHardDelete
MoveToDeletedItems
SoftDelete
Update
All available audit actions will be selected in order to provide the required visibility of changes made to a mailbox.

Security & Governance

  • None identified

Design

  • None identified

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra