A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Auditing and Reporting for Office 365

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

@enowconsulting

Find us!

ENow Software

ENowSoftware

ENowSoftware.com

Some of ENow’s Loyal Customers

• Microsoft Silver ISV & Messaging Microsoft Partner

• Focused on building software solutions that simplify the life of IT administrators

• Software architected by MVPs with >15 years experience in high-end Microsoft

consulting and management

• Customers in over 60 countries ENow Software

About ENow

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

About the speaker – Nathan O’Bryan

MVP: Office Servers and ServicesMCSM: Messaging

Consultant @ SPShttp://www.spscom.com

@MCSMLabhttp://www.mcsmlab.com

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Introduction• Auditing and reporting is important to any organization• Office 365 is a collection of different resources, all developed

separately• Microsoft is working toward a unified auditing and reporting system,

but they are not there yet

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Auditing and Reporting• In Office 365, auditing and reporting is broken into two groups

• Exchange• Everything else

• “Everything else” is far behind Exchange for auditing and reporting features• All auditing and reporting in Office 365 requires Exchange in your tenant• Microsoft is working on bringing “everything else” up to the auditing

and reporting standards of Exchange

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Mailbox Auditing• Mailbox auditing is about figuring out who did what and when they

did it• First introduced in Exchange 2007 SP2• 3 types of mailbox auditing• Owner• Delegates• Administrator

• Mailbox auditing is not on by default

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 1 – Enable Mailbox Auditing • Verify mailbox auditing is on for a mailbox• Verify mailbox auditing is on for multiple mailboxes• Turn mailbox auditing on• Verify what actions are being audited

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Mailbox actions loggedAction Description Admin Delegate Owner Copy An item is copied to another folder. Yes No No

Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited. Yes* Yes* Yes

FolderBind A mailbox folder is accessed. Yes* Yes No

HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes

MailboxLogin The user signed in to their mailbox. No No Yes

MessageBind An item is accessed in the reading pane or opened. Yes No No

Move An item is moved to another folder. Yes* Yes Yes

MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes

SendAs A message is sent using Send As permissions. Yes* Yes* No

SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No

SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes

Update An item's properties are updated. Yes* Yes* Yes

* Audited by default if auditing is enabled for a mailbox.

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 2 – Configuring Mailbox Auditing• Set what actions are audited• Set audit log age limit• Determine size of mailbox audit log• Delete mailbox audit log entries

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 3 – Searching Mailbox Audit Log• Search mailbox audit log• Search for limited results• Search for specific actions on specific dates• Start mailbox audit log report• Search for external access• Show running audit log searches

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Auditing across Office 365 applications• Recently Microsoft has added more auditing and reporting around SharePoint

Online and OneDrive• Office 365 compliance center• Search-UnifiedAuditLog

• AzureActiveDirectory• AzureActiveDirectoryAccountLogon• ExchangeAdmin• ExchangeItem• ExchangeItemGroup• SharePoint• SharePointFileOperation

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Audit Storage Architecture

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 4 – Search Unified Audit Log• Search unified audit log• Convert audit data from JSON format• Search for SharePoint file operations• Search for Azure AD operations• Search for Azure AD account login operations

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Reporting web serviceOffice 365 Reporting web servicereference page

Office 365 reporting-relatedWindows PowerShell cmdlets

CsActiveUser* reports Get-CsAVConferenceTimeReport

CsAVConferenceTime* reports Get-CsActiveUserReport

CsConference* reports Get-CsConferenceReport

CsP2PAVTime* reports Get-CsP2PAVTimeReport

CsP2PSession* reports Get-CsP2PSessionReport

ConnectionbyClientType* reports Get-ConnectionByClientTypeReport

ConnectionbyClientTypeDetail* reports Get-ConnectionByClientTypeDetailReport

GroupActivity* reports Get-GroupActivityReport

MailboxActivity* reports Get-MailboxActivityReport

MailboxUsage report Get-MailboxUsageReport

MailboxUsageDetail report Get-MailboxUsageDetailReport

MailDetail report Get-MailDetailReport

MailDetailDlpPolicy report Get-MailDetailDlpPolicyReport

MailDetailMalware report Get-MailDetailMalwareReport

MailDetailSpam report Get-MailDetailSpamReport

MailDetailTransportRule report Get-MailDetailTransportRuleReport

MailFilterList report Get-MailFilterListReport

MailTraffic report Get-MailTrafficReport

MailTrafficPolicy report Get-MailTrafficPolicyReport

MailTrafficSummary reports Get-MailTrafficSummaryReport

MailTrafficTop report Get-MailTrafficTopReport

MessageTrace report Get-MessageTrace

MessageTraceDetail report Get-MessageTraceDetail

MxRecordReport report Get-MxRecordReport

OutboundConnectorReport report Get-OutboundConnectorReport

ServiceDeliveryReport report Get-ServiceDeliveryReport

StaleMailbox report Get-StaleMailboxReport

StaleMailboxDetail report Get-StaleMailboxDetailReport

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 5 – Reporting Web Service• Mx record report• Outbound connector report• Mail traffic summary report• Stale mailbox detail report• Connection by client type report• Av conference time report

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Security & Compliance Center• Intended to be single portal for all Security & Compliance

administration needs• Work in progress

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 6 – Security & Compliance Center• Separate PowerShell connection• Available commands• Reports• Compliance Search

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Accessing GUI Mailbox Audit Reports• EAC > Compliance Management > Auditing• Office 365 Compliance Center

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Demo 7 – Office 365 GUI reports

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Summary• PowerShell is the best native way to get information out of Office 365

auditing and reporting• Office 365 canned reports are not currently very flexible• PowerShell reports may not be acceptable for management

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Q&A

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Thank Youwww.enowsoftware.com