Mailboxes Test

When auditing user mailboxes, an administrator would typically like to know:

  • Which mailboxes were newly created, and which ones were modified / soft-deleted recently?
  • Which mailboxes are on hold, and what type of hold are they on - Litigation hold? or In-place hold?
  • Are any mailboxes shared? If so, which are they?
  • Have any mailboxes been enabled for forwarding mails to external addresses? If so, which ones?

The Mailboxes test provides administrators with quick and accurate answers to these questions, and thus enables them to manage mailboxes better.

Target of the test : Exchange Online

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the Office 365 tenant being monitored

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

Tenant Name

This parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.

Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.

By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.

On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:

  1. Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenantunder Microsoft Office 365. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365.

    When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.

  2. Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:

    • Log in to the Microsoft 365 Admin Center as an administrator.

    • Under Setup, click on Domains.

    • Find a domain that ends with .onmicrosoft.com - this is your Microsoft O365 tenant name.

O365 User Name, O365 Password, and Confirm Password

These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none .

For execution, this test requires the privileges of an O365 user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mailbox Import Export permissions. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portal under Microsoft Office 365. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Total mailboxes

Indicates the total count of mailboxes on Exchange Online.

Number

 

External forward enabled mailboxes

Indicates the count of mailboxes that have been enabled for forwarding mails to external email addresses.

Number

If this measure reports a non-zero value, then use the detailed diagnosis of the measure to find out which mailboxes have been configured to send emails to external addresses. Its important for administrators to closely monitor the mail traffic to/from such mailboxes. This is because, external forwarders are commonly used by hackers and bad actors to exfiltrate data from an organisation.

Shared mailboxes

Indicates the number of shared mailboxes.

Number

Shared mailboxes make it easy for a group of people in your company to monitor and send email from a common account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual user.

To know which are the shared mailboxes, use the detailed diagnosis of this measure.

Newly created mailboxes

Indicates the number of mailboxes that were created newly.

Number

Use the detailed diagnosis of this measure to know which mailboxes were created newly.

Modified mailboxes

Indicates the number of mailboxes that were modified recently.

Number

Use the detailed diagnosis of this measure to identify the mailboxes that were changed recently.

Soft deleted mailboxes

Indicates the number of mailboxes that were soft deleted.

Number

A soft-deleted user mailbox is a mailbox that has been deleted using the Office 365 admin center or the Remove-Mailbox cmdlet in the Exchange Management Shell, and has still been in the Azure active directory (Azure AD) recycle bin for less than 30 days.

A soft-deleted user mailbox is a mailbox that has been deleted in the following cases:

  • The user mailbox's associated Azure active directory user account is soft deleted (the Azure active directory user object is out of scope or in the recycle bin container).
  • The user mailbox's associated Azure active directory user account has been hard deleted but the Exchange Online mailbox is in a litigation hold or eDiscovery hold.
  • The user mailbox's associated Azure active directory user account has been purged within the last 30 days; which is the retention length Exchange Online will keep the mailbox in a soft deleted state before it is permanently purged and unrecoverable.

Use the detailed diagnosis of this measure to identify the soft-deleted mailboxes.

Mailboxes on litigation hold

Indicates the count of mailboxes on litigation hold.

Number

Litigation Hold is one of the functionalities of eDiscovery feature in Exchange Online. Putting mailboxes, public folders or sites (e.g. OneDrive, SharePoint) on Litigation Hold prevents users from permanently deleting all or chosen content. Before the recent updates, litigation hold allowed to secure only whole mailboxes. Partial mailbox protection required using In-Place hold. Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.

As the name suggests, the primary function of a Litigation Hold is to protect data in case there is a lawsuit in action, and some emails might be evidence. In fact, that is what the whole eDiscovery is there for. But you can use it, as many other companies do, as a means to backup sensitive data, just in case. Although the storage for protected items is not limited, including all mailboxes is not advisable – it will save all items, including spam emails, making future searches troublesome, to say the least. What is more, if you remove a hold, all purged data is irreversibly deleted. You can export mailboxes to PST files and store them locally. This way, you will increase your data safety.

To know which mailboxes are on litigation hold, use the detailed diagnosis of this measure.

Mailboxes on inplace hold

Indicates the count of mailboxes on in-place hold.

Number

In-Place Hold essentially helps an admin determine what items to hold and the amount of time to hold them. Using the In-Place Hold feature, administrators can accomplish various tasks that focus around preserving email. Mail preservation is critical if a company is faced with litigation and needs to perform any sort of electronic discovery.

Using In-Place Hold, an Exchange 2013 administrator can:

  • Place complete user mailboxes on hold.
  • Preserve mailbox items that were previously deleted.
  • Search for specific items via criteria such as keywords, send date, recipients and more.
  • Preserve items for an indefinite amount of time.
  • Place an actual user on hold.

Use the detailed diagnosis of this measure to know which mailboxes have been put on in-place hold.

All mailboxes on hold?

Indicates whether/not all mailboxes are on hold presently.

 

The values that this measure can report and their corresponding numeric values are as follows:

Measure Value Numeric Value
Yes 1
No 0

Note:

Typically, this measure reports the Measure Values listed in the table above to indicate whether/not all mailboxes are on hold. In the graph of this measure however, the same is represented using the numeric equivalents only.

The detailed diagnosis of the Modified mailboxes measure lists the mailboxes that were modified and when they were modified. This way, administrators can keep track of changes to mailbox configuration.

Figure 1 : The detailed diagnosis of the Modified mailboxes measure

The detailed diagnosis of the External forward enabled mailboxes measure lists the mailboxes that have been configured to forward emails to external email addresses. The forwarding SMTP address is also revealed, so that administrators can quickly identify the external domain to which each mailbox forwards emails.

Figure 2 : The detailed diagnosis of the External forward enabled mailboxes measure