Capturing User Access to Exchange Messages
In an Office 365 update (MC171679 ) posted on January 4, Microsoft announced that a new “MailItemsAccessed” audit action will join the set of actions that can be captured in mailbox audit events. The new action will capture details of when a message in a mailbox is opened by the mailbox owner, delegate (someone with read access to the mailbox), or using administrative access. According to Microsoft, the data gathered gives
“comprehensive forensic coverage of mailbox accesses.” This is an important change for anyone who needs to investigate what happened if a mailbox is penetrated by an attacker or a delegate takes unauthorized action inside a mailbox.
Exchange will update the default mailbox audit configuration in February 2019 and begin to record mail accessed events. Initially, these events will be captured in the Exchange mailbox audit log and will not be ingested with the other Exchange mailbox audit events into the Office 365 audit log. To search for the new events, you’ll have to run the Search-MailboxAuditLog cmdlet.
Microsoft will eventually upgrade the ingestion process to bring the new audit data into the Office 365 audit log. There’s no word when this might happen.
More Comprehensive Capture of Audit Data by Exchange
As you might expect, the MailItemsAccessed action replaces the MessageBind action, which today records when a message is viewed by being opened by the user or in the preview pane. The new action captures a more comprehensive range of accesses to mailbox items, including items synchronized to mobile devices, so it gives more information to investigators who need to understand what happened inside a mailbox should an incident occur. However, for backwards compatibility, the MessageBind action is not being removed from mailbox audit configurations and can be left in place.
No Need to Update Default Configurations
If your tenant uses default Exchange mailbox audit configurations, you don’t need to do anything as Microsoft will update the audit settings for owner, delegate, and administrative access. However, if you manage customized audit settings for mailboxes, you need to run the Set-Mailbox cmdlet to update the audit configurations if you want to include the capture of MailItemsAccessed actions.
Note (January 23, 2019): Microsoft has completed the deprecation of the MessageBind audit action. You can no longer assign this action to the AuditDelegate or AuditAdmin settings for an Exchange Online mailbox.
For more information about Exchange Online mailbox auditing or the Office 365 audit log, read the comprehensive coverage in Chapter 21 of the Office 365 for IT Pros ebook.
Can you provide some guidance on how to deal with the “deprecated” error in existing scripts? Our script contains this line:
Get-Mailbox xxx | Set-Mailbox -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
How should this be updated to use the current cmdlet?
Just replace any reference to MessageBind with MailItemsAccessed. For example:
Set-Mailbox -Identity xxxx -AuditAdmin Copy,Create,FolderBind,HardDelete,MailItemsAccessed,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update, MailItemsAccessed -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
I over-complicated that, didn’t I?!?
Get errors when using MailItemsAccessed:
Auditing of MailItemsAccessed operation type is not supported.
Possibility hasn’t reached your tenant yet. Be patient!