What that BOXServiceAccount Does in Office 365

What is the BOXServiceAccount and what is it doing?

Office 365 Audit Records Reveal Interesting Events

Over the last few days, I’ve noticed records being generated in the Office 365 audit log for an account called BOXServiceAccount. You can see an example above. The audit records are matched by alert policies (managed through the Security and Compliance Center) that cause email to be sent to my account when events that might need investigation occur. In this case, a use of Exchange Online administrative permission by an account.

An activity alert flagged by Office 365

A quick internet search turned up this Microsoft support article, which throws some light on the subject. Although the wording is odd (for example, “BOXServiceAccount is added to a role” is more likely “BOXServiceAccount is used to add an account to a role.”), the intent is clear. BOXServiceAccount is a system account used behind the scenes to carry out tasks within Office 365. A discussion in the Microsoft Technical Community from April 2018 and another in the Microsoft Answers forum from June 2017 provided some extra insight. Clearly, I haven’t been paying attention.

In this case, it seems like BOXServiceAccount comes into play when an administrator assigns another user one of the custom administrative roles through the Office 365 Admin Center. I assume the reason why a system account is used in this manner is that the administrator who assigns someone a role might not have the permission to add that account to the Azure Active Directory role groups which underpin the administrative roles.

Azure Active Directory Role Groups

To see the role groups defined in your tenant, run the Get-AzureADDirectoryRole cmdlet (from the Azure AD PowerShell V2 module).

The Lync Service Administrator listed is just an old display name. It equates to what you see as the Skype for Business Online Administrator when viewed through the Office 365 Admin Center. To see the current accounts assigned a role, run the Get-AzureADDirectoryRoleMember cmdlet and pass the object identifier of the role you want to examine.

No Mystery – Move Along Please

So, apart from its odd name, there’s no mystery about BOXServiceAccount. It’s just one of the system accounts used by Office 365 to get work done. There’s nothing wrong with using accounts like this because system accounts have been used for years for different purposes, such as updating your Exchange Online configuration to match standards set by Office 365.

But what’s wrong is that Microsoft has never communicated the reason why BOXServiceAccount exists and how it is used. A note in the Message Center in the Office 365 Admin Center wouldn’t have gone amiss, well before administrators began to see the interesting audit events turn up in their Office 365 audit log. Maybe I missed that too.

For more information about custom Administrative roles, see Chapter 4 of the Office 365 for IT Pros eBook. And of course, you can have a great time reviewing the many interesting facts to be found in the Office 365 audit log in Chapter 21. And activity alerts and alert policies are covered in Chapter 21 too, just in case you don’t feel like browsing the audit log daily.

2 Replies to “What that BOXServiceAccount Does in Office 365”

  1. In our case, one of our users was added to the Sharepoint Administrator role and then this alert popped up and see that same user also got automatically added to the View-Only Organization Management Role in Exchange. What is not clear is whether the user will get automatically removed from the Exchange role when the sharepoint role is removed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.