O365 Secure Score & Azure Automation (Part 1) – Enable Mailbox Auditing

Introduction

This article is the first part in a series on securing your Office 365 tenant (and improving the Secure Score) with a little help from Azure Automation.

There will be 4-6 more articles in the series depending on the outcome of my demo environment, where all the scripts and modules are tested.

Office 365 Secure Score

First of all, if you don’t know what the Office 365 Secure Score is you should check it out immediately.

Some of the recommended actions are easy to accomplish, such as “Do not expire passwords” or “Enable Client Rules Forwarding Block Advanced Action”.

Just a few clicks and your score will increase with 30 points (20+10).

Other recommendations are more of a project than an action – such as “Enable MFA for all users”. This require a lot of planning and possibly extra licenses if you don’t have “Enterprise Mobility + Security” already.

Then there is the third kind of Secure Score actions: the ones expected to be straightforward but require repeated manual actions. Such as enabling Mailbox Auditing on all mailboxes in Exchange Online.

Enabling mailbox auditing – why automate this?

If you’re an Office 365 administrator, you might have noticed that auditing is a per-mailbox setting – not a global setting. And it can only be enabled and configured with PowerShell.

Enabling auditing on all mailboxes can be done with a one-line PowerShell command (or a script like this). But you still have to execute that same line every time a new mailbox is provisioned.

I will demonstrate how to enable mailbox auditing on all mailboxes in an Office 365 tenant with a scheduled runbook in Azure Automation.

* UPDATE *
Mailbox Auditing is now enabled by default when provisioning new mailboxes in Exchange Online. Mailboxes created prior to November 12th 2018 still require manual enablement.  Also: If you want custom audit logging level, you need to modify this on each (new) mailbox – e.g. by a script (happy reading!).

Prerequisites

Audit Log Search is enabled

For you to be able to make use of the audit logs in Office 365 (and therefore also Exchange Online) you need to turn on the recording of user and admin activities. Very easy.

Azure Automation Account available

If you don’t already have an Azure Automation account, you go to the Azure portal and open “Automation Accounts”

Add an Automation account.

Wait 15 seconds or so and your automation account should be ready.

Create Exchange Online Service Account

A common mistake when creating service accounts in Office 365 and Exchange Online is granting them to Global Admin rights.

In rare cases this makes sense. But usually you can restrict the rights to either a single Office 365 service (e.g. ExO Admin) or further down into a ACL in the services it self. Principle of least privilege, you know.

We are going to create a service account, that only has access to manage audit logging in Exchange Online.

Go to your Office 365 admin portal and create a user.

NOTE: If your Office tenant has “password expire” enabled, you should disable password expiration on this user.

Create Exchange Online RBAC Group

Now go to Exchange Online Admin Center and open “Permissions”.

Create a new role group. Add “Audit Logs” as a role and add the service account as a member. Click “Save”.

The permissions should be provisioned within half an hour.

Create Azure Automation Credential

Let’s use the ‘credential vault’ in Azure Automation to securely store service account username and password. We don’t want to expose the credentials in the script in clear-text!

Go to the automation account, select “Credentials” (under Shared Resources) and click “Add a credential”.

Fill the credential form. Remember the “Name” – you need that later when executing the script.

 

Create Azure Automation Runbook

In your automation account, go to “Runbooks” (under Process Automation) and click “Add a runbook”. Then “Create a new runbook”.

Enter a name for the runbook, e.g. “ExO-EnableMailboxAuditLogging”. Select “PowerShell” as “Runbook type”. Click “Create”.

You should now see a blank PowerShell runbook. Now go to this GitHub Project called ExO-EnableMailboxAuditLogging and copy the content of the PowerShell script and paste it into the runbook.

The runbook should now look something like this:

Please review the documentation in the beginning of the script (green text in the runbook) or have a look at the ReadMe in the GitHub project.

 

Test Runbook

Now click on the “Test pane” button.

Now you can test the script before putting it into production and scheduling it.

Disclaimer: No warranties. Use at your own risk.

Now fill:

  • AuditLogLevel
  • AuditLogAgeLimit
  • AutomationPSCredentialName

As mentioned before: Any doubts, check the GitHub project ReadMe!

Click “Start”. Hopefully, the output should look something like this:

In the example above, audit logging has been enabled on all (three) mailboxes.

To verify this, connect to Exchange Online with PowerShell and execute this this command:


Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,RoomMailbox,DiscoveryMailbox | Select-Object name,*audit*

The result should look something like this:

Hurray! It works. Now let’s schedule this runbook.

 

Deploy & Schedule Runbook

The runbook needs to be “published” to be able to schedule it.

In the edit pane, click “Publish” and “Yes”.

Select “Schedules” under “Resources”, and then click “Add a schedule”.

Create a new schedule, select a start time, time zone and recurrence. Then click create.

Now setup the parameters of the schedule. Click OK.

If you want to run the script right the way, go to the overview of the runbook and click “Start”, and enter the same parameters as in the schedule. Then review the “Output”.

 

Review audit logs

Wait a day or so, and then go the “Security & Compliance Center” in Office 365, and browse to “Search & investigation” and then “Audit log search”. Search for “Exchange mailbox activites”.

You should now be able to see mailbox related events.

 

Final thoughts

“Could this script be modulelized?” you might ask.

The script already consists of three functions and the whole execution part could be converted into a function or two.

So, yes – the script could it be shortened down to 10-20 lines making it a “controller script”, and then use a module containing all the functions.

I might reuse some of these functions in the upcoming articles / scripts. And I might end up with a module 🙂 Let’s see.

 

Conclusion

In this article we went through the process of deploying and schedule an Azure Automation runbook with purpose of enabling and configuring mailbox audit logging on all mailboxes in an Office 365 tenant.

In the next article, we will have a look at generating and sending “mailbox forwarding rule reports” with an Azure Automation runbook.

 

Soren is an IT Professional & DevOps based in Copenhagen, Denmark.

His primary work areas are system design, deployment, migration and administration of business-critical IT infrastructure.

1 thought on “O365 Secure Score & Azure Automation (Part 1) – Enable Mailbox Auditing

Leave a Reply

Your email address will not be published. Required fields are marked *