Export Exchange Online Client Access Report


So, imagine this:

The security team comes to you and asks you for a report on how people are accessing Exchange Online services--browser, mobile, Outlook client.  In the olden days of Exchange on-premises, you could look at the IIS logs to check browser traffic.  It's not quite the same in Exchange Online, since you don't have access to the IIS logs for every CAS server in Office 365.

What you can do, however, is retrieve that data from the Mailbox Audit Log.

Of course, you need to enable mailbox auditing (a per-mailbox setting) in order for this data to be stored, so if you haven't done that yet, go do it now and come back in a few weeks and keep going (I say a few weeks so you can capture device turnover or people who are on vacation and don't access their work mail via mobile clients).

To enable the mailbox auditing we need to run:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner UpdateFolderPermissions,MailboxLogin

Note: UpdateFolderPermissions is enabled by default when you enable audit logging.  The -AuditOwner parameter uses an array, so you either need to specify all the values in the cmdlet or use a hash value with the parameter: -AuditOwner @{Add="MailboxLogin"}

Done?

Great.

Now, to build your report.

$mailboxes = Get-Mailbox -ResultSize Unlimited
Foreach ($mailbox in $mailboxes)
{
$logdata = Search-MailboxAuditLog -StartDate ([system.DateTime]::Now.AddDays(-14)) -EndDate ([system.DateTime]::Now.AddDays(+1)) -Operations MailboxLogin -Identity $mailbox.UserPrincipalName -ShowDetails | Select LogonUserDisplayName,ClientInfoString,LastAccessed,ClientIPAddress
$logdata | export-csv Report.csv -Append -NoTypeInformation
}

You may find it useful to use client-side filtering on the ClientInfoString to locate specific clients types or versions as well.

Be fruitful and reportify!

 

Comments (0)

Skip to main content