O365 – How Mailbox Audit works in a Hybrid scenario


By: Caio Ribeiro César

We have already discussed some of the Mailbox Audit functionalities in Office 365.  This time, we will focus on something a little bit more specific: hybrid environments and the cross premises access.

Cross premises mailbox permission support is something relatively new: on-prem mailboxes accessing oncloud mailboxes and vice-versa for hybrid environments (support covers Full Mailbox access through Outlook).

When searching for mailbox audit logs in oncloud/onprem environments, we are following the “Mailbox Audit Logging in Exchange 2016” TechNet article.

Scenarios discussed in this article are:

1)     On-cloud mailbox access through on-premises user

2)     On-premises mailbox access through on-cloud user

In this case scenario demonstration, we will access the mailbox, remove one email and thereafter collect & read the audit logs.

Scenario 1 – on-premises user “onprem1” access to on-cloud mailbox “hybrid1” (Outlook + FullMbx Permission)

a) Validating “FullAccess” permissions (ExO)

CrossPremEn1

b) Enabling mailbox Audit (ExO)

CrossPremEn2

c) Accessing onprem1>hybrid1 and removing data

CrossPremEn3

CrossPremEn4

d) Collecting Mailbox Audit logs in ExO for mailbox “Hybrid1”

CrossPremEn5

RunspaceId : d0886b75-d964-4bdd-993a-f40902c20856
Operation : SoftDelete
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAACsuxmdF5MpSbKJK3JoFBgdAQDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAAAB
FolderPathName : \Caixa de Entrada
ClientInfoString : Client=MSExchangeRPC
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 15.0.4815.1000
InternalLogonType : Owner
MailboxOwnerUPN : hybrid1@o365lab.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-12484931
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation : False
LogonUserDisplayName : OnPrem User 1
LogonUserSid : S-1-5-21-2103643036-1067027473-1901050440-12486308
SourceItems : {RgAAAACsuxmdF5MpSbKJK3JoFBgdBwDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAABdK189WNanSoUgfqILghUDAABkOn/gAAAA}
SourceFolders : {}
SourceItemIdsList : RgAAAACsuxmdF5MpSbKJK3JoFBgdBwDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAABdK189WNanSoUgfqILghUDAABkOn/gAAAA
SourceItemSubjectsList : Email V
SourceItemAttachmentsList :
SourceItemFolderPathNamesList : Caixa de Entrada
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : DBXPR05MB494 (15.01.0466.022)
MailboxGuid : 812d0182-f4c5-47ac-8fc8-f7bb2f0e407c
MailboxResolvedOwnerName : Hybrid User 1
LastAccessed : 4/19/2016 6:05:08 PM
Identity : AAMkADMxOTgxNDVlLTA5ZGQtNDA5YS05NWQxLTQ1YzZiYzcyZDBjYQBGAAAAAACsuxmdF5MpSbKJK3JoFBgdBwBdK189WNanSoUgfqILghUDAABs5Bh5AABdK189WNanSoUgfqILghUDAABs5BxhAAA=
IsValid : True
ObjectState : New

e) Conclusion:

We can read in the log the actions marked in black that the “SoftDelete” operation was successfully done in the folder “Caixa de Entrada” (\Inbox), email with the subject “Email V”. The app used to access this mailbox was “Outlook 2013”.

Scenario 2 – on-cloud user “hybrid1” access to on-prem mailbox “onprem1” (Outlook + FullMbx Permission)

a) Validating “FullAccess” permissions (ExOnPrem)

CrossPremEn6    

b) Enabling Mailbox Audit (ExOnPrem)

CrossPremEn7

c) Accessing hybrid1>onprem1 and removing data

CrossPremEn8

CrossPremEn9

d) Collecting Mailbox Audit logs in ExOnPrem for mailbox "OnPrem1"

CrossPremEn10

RunspaceId : 256fc3c4-0eb8-43c9-9176-8b581125aa0d
Operation : SoftDelete
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAADISX+WmpC4T7PckAt9aeV2AQAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAB
FolderPathName : \Caixa de Entrada
ClientInfoString : Client=MSExchangeRPC
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.6868.6512
InternalLogonType : Owner
MailboxOwnerUPN : OnPrem1@o365lab.com
MailboxOwnerSid : S-1-5-21-4092936703-4063989580-4119582238-1178
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation : False
LogonUserDisplayName : Hybrid User 1
LogonUserSid : S-1-5-21-4092936703-4063989580-4119582238-1137
SourceItems : {RgAAAADISX+WmpC4T7PckAt9aeV2BwAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAWkvaZhWZwRbYTrKuYg46LAA
A2wBKOAAAA}
SourceFolders : {}
SourceItemIdsList : RgAAAADISX+WmpC4T7PckAt9aeV2BwAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAWkvaZhWZwRbYTrKuYg46LAAA
2wBKOAAAA
SourceItemSubjectsList : Email1
SourceItemAttachmentsList :
SourceItemFolderPathNamesList : Caixa de Entrada
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : O365LAB-EXCH (15.01.0225.037)
MailboxGuid : da2d2dca-0868-463c-8ffc-cef6df4829f5
MailboxResolvedOwnerName : OnPrem User 1
LastAccessed : 4/19/2016 8:44:15 PM
Identity : AAMkADEyY2FjZjQ0LTNiZjYtNDE4OC1hZWU4LWM0NDFlYjZjNjAwYwBGAAAAAADISX+WmpC4T7PckAt9aeV2BwA
WkvaZhWZwRbYTrKuYg46LAAA2vv8KAAAWkvaZhWZwRbYTrKuYg46LAAA2wBpeAAA=
IsValid : True
ObjectState : New

e) Conclusion:

We can read in the log the actions marked in black that the “SoftDelete” operation was successfully done in the folder “Caixa de Entrada” (\Inbox), email with the subject “Email1”. The app used to access this mailbox was “Outlook 2016”.

Comments (2)

Skip to main content