If you have Office 365 E5 licenses, your mailboxes generate MailItemsAccessed events. These events are stored in the Office 365 audit log and can be used for investigating potentially compromised mailboxes. Useful information is in the audit events, but some processing is needed to extract the full benefit. Here's how to do it with PowerShell.
Last Update: Aug 22, 2023
Last Update: Aug 22, 2023
Many Office 365 applications now create Azure Active Directory guest accounts. What’s the best way to discover if the accounts are active and in use? This PowerShell script uses the Office 365 audit log and message trace data to figure out what guest accounts are active and outputs a CSV file for your review and analysis. Like any other PowerShell script, it can be adapted to suit your purposes.
Last Update: Apr 15, 2022
The new Request Files feature in OneDrive for Business is great for users but comes with no admin controls. You can block the feature completely with a kludge and use Office 365 audit records to know when people are requesting files. However, Microsoft could make the feature so much better by extending some existing controls to make requesting files work better and more securely.
Activity Explorer Highlights Label Activities In June 2020, I covered Microsoft’s “Know Your Data” initiative, essentially the introduction of a bunch of new features in the Data classification section of the Microsoft 365 compliance center. Requiring Office 365 E5 or Microsoft 365 E5 (or E5 compliance) licenses, Microsoft targets this functionality at large enterprises who…
Microsoft Graph and Audit Log Too Important to Lose Thinking about the fuss and bother which erupted over Microsoft Productivity Score, I concluded that the people concerned about management oversight of user activity within Microsoft 365 had very little knowledge about the topic. They looked at the pretty graphs and tables of user data and…
Office 365 applications now create many guest accounts in Azure Active Directory. You can see what accounts exist, but it’s more difficult to discover who created the accounts – or why they were created. Fortunately, the Office 365 audit log holds a lot of useful data that can be interrogated to find some answers and PowerShell is a great tool for slicing and dicing audit data. See what you think of the answers I’ve come up with.
The news that Microsoft will make mailbox auditing the default in Exchange Online is very welcome, as is the new mechanism they plan to use. Microsoft won’t get the new feature rolled out across Office 365 until the end of 2018, so there’s still a gap to fill to make sure that audit records are gathered for mailbox activity.
Some interesting announcements during the last week informed us about Yammer getting better at compliance and a new Office 365 connector. I’m not so hot on the bots, though. In other news, MyAnalytics has an unexplained love for Internet Explorer and the topic of password trimming and the Office 365 maximum password length caused some confusion – at least for one administrator! And some news about an interesting Exchange 20th anniversary video and a VDI collaboration project between VMware and Microsoft for Skype for Business rounds out the week.
There’s lots to hear and learn about with regard to Office 365 at the Microsoft Ignite conference in Atlanta this week. All of the product groups are putting their best face forward to impress and amaze customers with what has happened or what will happen inside the service. Here’s some of what I have been hearing.
Office 365 Connectors allow data drawn from multiple internet sources like Twitter to be imported into Office 365. This article explains why imported tweets result in multiple SendAs events logged in the Office 365 Audit log.