How to Detect Who Gave Full Access Permissions to Exchange Mailbox

Why It Is Important
**
**Anyone who has been granted full access permissions to another user’s mailbox can delete or forward emails, change mailbox content and more. These actions can easily go unnoticed by either the mailbox owner or IT staff. Without ongoing tracking of changes in Exchange, full access permissions granted to another user’s mailbox without proper business justification can lead to a security breach. Proper auditing enables IT admins to determine who was granted full access rights to another user’s mailbox, helping them protect critical mailbox content and prevent the loss or leakage of sensitive data.

Native Auditing

1. Open the Exchange Management Shell, and run the following cmdlets:

Set-AdminAuditLogConfig – AdminAuditLogEnabled $true
Set-AdminAuditLogConfig – LogLevel Verbose #(for Exchange 2013)

2. Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for a log with cmdlet “Add(Remove)-MailboxPermission” – where you can find information about who changed mailbox permissions, when it happened, to what mailbox and what kind of access to whom was given.

3. You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click “View the administrator audit log”.

4. Also via PowerShell - Open the Exchange Management Shell and run the following cmdlet:

Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission

https://img.netwrix.com/landings/howtofriday/11/native_exchange_permission.png

5. Real Life Use Case: View

6. Credits: Originally posted - https://www.netwrix.com/how_to_detect_full_access_permission_changes_to_exchange_mailbox.html