O365 – How Mailbox Audit works in a Hybrid scenario

  • Article

By: Caio Ribeiro César

We have already discussed some of the Mailbox Audit functionalities in Office 365.  This time, we will focus on something a little bit more specific: hybrid environments and the cross premises access.

Cross premises mailbox permission support is something relatively new: on-prem mailboxes accessing oncloud mailboxes and vice-versa for hybrid environments (support covers Full Mailbox access through Outlook).

When searching for mailbox audit logs in oncloud/onprem environments, we are following the “Mailbox Audit Logging in Exchange 2016” TechNet article.

Scenarios discussed in this article are:

1)     On-cloud mailbox access through on-premises user

2)     On-premises mailbox access through on-cloud user

In this case scenario demonstration, we will access the mailbox, remove one email and thereafter collect & read the audit logs.

Scenario 1 – on-premises user “onprem1” access to on-cloud mailbox “hybrid1” (Outlook + FullMbx Permission)

a) Validating “FullAccess” permissions (ExO)

CrossPremEn1

b) Enabling mailbox Audit (ExO)

CrossPremEn2

c) Accessing onprem1>hybrid1 and removing data

CrossPremEn3 CrossPremEn4

d) Collecting Mailbox Audit logs in ExO for mailbox “Hybrid1”

CrossPremEn5

RunspaceId : d0886b75-d964-4bdd-993a-f40902c20856
Operation : SoftDelete
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAACsuxmdF5MpSbKJK3JoFBgdAQDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAAAB
FolderPathName : \Caixa de Entrada
ClientInfoString : Client=MSExchangeRPC
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 15.0.4815.1000
InternalLogonType : Owner
MailboxOwnerUPN : hybrid1@o365lab.com
MailboxOwnerSid : S-1-5-21-2103643036-1067027473-1901050440-12484931
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation : False
LogonUserDisplayName : OnPrem User 1
LogonUserSid : S-1-5-21-2103643036-1067027473-1901050440-12486308
SourceItems : {RgAAAACsuxmdF5MpSbKJK3JoFBgdBwDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAABdK189WNanSoUgfqILghUDAABkOn/gAAAA}
SourceFolders : {}
SourceItemIdsList : RgAAAACsuxmdF5MpSbKJK3JoFBgdBwDJFa5QkQeVS6fTHvqQ2KO7AAAAAAEMAABdK189WNanSoUgfqILghUDAABkOn/gAAAA
SourceItemSubjectsList : Email V
SourceItemAttachmentsList :
SourceItemFolderPathNamesList : Caixa de Entrada
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : DBXPR05MB494 (15.01.0466.022)
MailboxGuid : 812d0182-f4c5-47ac-8fc8-f7bb2f0e407c
MailboxResolvedOwnerName : Hybrid User 1
LastAccessed : 4/19/2016 6:05:08 PM
Identity : AAMkADMxOTgxNDVlLTA5ZGQtNDA5YS05NWQxLTQ1YzZiYzcyZDBjYQBGAAAAAACsuxmdF5MpSbKJK3JoFBgdBwBdK189WNanSoUgfqILghUDAABs5Bh5AABdK189WNanSoUgfqILghUDAABs5BxhAAA=
IsValid : True
ObjectState : New

e) Conclusion:

We can read in the log the actions marked in black that the “SoftDelete” operation was successfully done in the folder “Caixa de Entrada” ( \Inbox), email with the subject “Email V”. The app used to access this mailbox was “Outlook 2013”.

Scenario 2 – on-cloud user “hybrid1” access to on-prem mailbox “onprem1” (Outlook + FullMbx Permission)

a) Validating “FullAccess” permissions (ExOnPrem)

CrossPremEn6

b) Enabling Mailbox Audit (ExOnPrem)

CrossPremEn7

c) Accessing hybrid1>onprem1 and removing data

CrossPremEn8 CrossPremEn9

d) Collecting Mailbox Audit logs in ExOnPrem for mailbox "OnPrem1"

CrossPremEn10

RunspaceId : 256fc3c4-0eb8-43c9-9176-8b581125aa0d
Operation : SoftDelete
OperationResult : Succeeded
LogonType : Delegate
ExternalAccess : False
DestFolderId :
DestFolderPathName :
FolderId : LgAAAADISX+WmpC4T7PckAt9aeV2AQAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAB
FolderPathName : \Caixa de Entrada
ClientInfoString : Client=MSExchangeRPC
ClientMachineName :
ClientProcessName : OUTLOOK.EXE
ClientVersion : 16.0.6868.6512
InternalLogonType : Owner
MailboxOwnerUPN : OnPrem1@o365lab.com
MailboxOwnerSid : S-1-5-21-4092936703-4063989580-4119582238-1178
DestMailboxOwnerUPN :
DestMailboxOwnerSid :
DestMailboxGuid :
CrossMailboxOperation : False
LogonUserDisplayName : Hybrid User 1
LogonUserSid : S-1-5-21-4092936703-4063989580-4119582238-1137
SourceItems : {RgAAAADISX+WmpC4T7PckAt9aeV2BwAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAWkvaZhWZwRbYTrKuYg46LAA
A2wBKOAAAA}
SourceFolders : {}
SourceItemIdsList : RgAAAADISX+WmpC4T7PckAt9aeV2BwAWkvaZhWZwRbYTrKuYg46LAAAAAAEMAAAWkvaZhWZwRbYTrKuYg46LAAA
2wBKOAAAA
SourceItemSubjectsList : Email1
SourceItemAttachmentsList :
SourceItemFolderPathNamesList : Caixa de Entrada
SourceFolderPathNamesList :
ItemId :
ItemSubject :
ItemAttachments :
DirtyProperties :
OriginatingServer : O365LAB-EXCH (15.01.0225.037)
MailboxGuid : da2d2dca-0868-463c-8ffc-cef6df4829f5
MailboxResolvedOwnerName : OnPrem User 1
LastAccessed : 4/19/2016 8:44:15 PM
Identity : AAMkADEyY2FjZjQ0LTNiZjYtNDE4OC1hZWU4LWM0NDFlYjZjNjAwYwBGAAAAAADISX+WmpC4T7PckAt9aeV2BwA
WkvaZhWZwRbYTrKuYg46LAAA2vv8KAAAWkvaZhWZwRbYTrKuYg46LAAA2wBpeAAA=
IsValid : True
ObjectState : New

e) Conclusion:

We can read in the log the actions marked in black that the “SoftDelete” operation was successfully done in the folder “Caixa de Entrada” ( \Inbox), email with the subject “Email1”. The app used to access this mailbox was “Outlook 2016”.