As organizations move to Office 365, sometimes the finer details of the service can get over looked. To be able to manage your Office 365 tenant, you need to understand what auditing and reporting capabilities are built into Office 365, as well as what functionality is missing. A complete understanding of the features and functionality in place to protect your systems is essential to identifying threats, and planning a reaction. Drawing on his personal experiences assisting clients with migrations, Nathan O’Bryan (MCSM: Messaging, MVP: Office Servers and Services) will dive into the auditing and reporting features and functionality that are included with Office 365. He will cover how to properly implement protection for your systems in addition to real world tips and practical lessons learned for protecting your data in the cloud.

1. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing and Reporting for Office 365

2. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
@enowconsulting
Find us!
ENow Software
ENowSoftware
ENowSoftware.com
Some of ENow’s Loyal Customers
• Microsoft Silver ISV & Messaging Microsoft Partner
• Focused on building software solutions that simplify the life of IT administrators
• Software architected by MVPs with >15 years experience in high-end Microsoft
consulting and management
• Customers in over 60 countries ENow Software
About ENow

3. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

4. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
About the speaker – Nathan O’Bryan
MVP: Office Servers and Services
MCSM: Messaging
Consultant @ SPS
http://www.spscom.com
@MCSMLab
http://www.mcsmlab.com

5. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Introduction
• Auditing and reporting is important to any organization
• Office 365 is a collection of different resources, all developed
separately
• Microsoft is working toward a unified auditing and reporting system,
but they are not there yet

6. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing and Reporting
• In Office 365, auditing and reporting is broken into two groups
• Exchange
• Everything else
• “Everything else” is far behind Exchange for auditing and reporting features
• All auditing and reporting in Office 365 requires Exchange in your tenant
• Microsoft is working on bringing “everything else” up to the auditing and
reporting standards of Exchange

7. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Mailbox Auditing
• Mailbox auditing is about figuring out who did what and when they
did it
• First introduced in Exchange 2007 SP2
• 3 types of mailbox auditing
• Owner
• Delegates
• Administrator
• Mailbox auditing is not on by default

8. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 1 – Enable Mailbox Auditing
• Verify mailbox auditing is on for a mailbox
• Verify mailbox auditing is on for multiple mailboxes
• Turn mailbox auditing on
• Verify what actions are being audited

9. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Mailbox actions logged
Action Description Admin Delegate Owner
Copy An item is copied to another folder. Yes No No
Create
An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is
created. Note that message or folder creation isn't audited.
Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes
SendAs A message is sent using Send As permissions. Yes* Yes* No
SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No
SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes
Update An item's properties are updated. Yes* Yes* Yes
* Audited by default if auditing is enabled for a mailbox.

10. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 2 – Configuring Mailbox Auditing
• Set what actions are audited
• Set audit log age limit
• Determine size of mailbox audit log
• Delete mailbox audit log entries

11. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 3 – Searching Mailbox Audit Log
• Search mailbox audit log
• Search for limited results
• Search for specific actions on specific dates
• Start mailbox audit log report
• Search for external access
• Show running audit log searches

12. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing across Office 365 applications
• Recently Microsoft has added more auditing and reporting around
SharePoint Online and OneDrive
• Office 365 compliance center
• Search-UnifiedAuditLog
• AzureActiveDirectory
• AzureActiveDirectoryAccountLogon
• ExchangeAdmin
• ExchangeItem
• ExchangeItemGroup
• SharePoint
• SharePointFileOperation

13. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Audit Storage Architecture

14. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 4 – Search Unified Audit Log
• Search unified audit log
• Convert audit data from JSON format
• Search for SharePoint file operations
• Search for Azure AD operations
• Search for Azure AD account login operations

15. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Reporting web service
Office 365 Reporting web service
reference page
Office 365 reporting-related
Windows PowerShell cmdlets
CsActiveUser* reports Get-CsAVConferenceTimeReport
CsAVConferenceTime* reports Get-CsActiveUserReport
CsConference* reports Get-CsConferenceReport
CsP2PAVTime* reports Get-CsP2PAVTimeReport
CsP2PSession* reports Get-CsP2PSessionReport
ConnectionbyClientType* reports Get-ConnectionByClientTypeReport
ConnectionbyClientTypeDetail* reports Get-ConnectionByClientTypeDetailReport
GroupActivity* reports Get-GroupActivityReport
MailboxActivity* reports Get-MailboxActivityReport
MailboxUsage report Get-MailboxUsageReport
MailboxUsageDetail report Get-MailboxUsageDetailReport
MailDetail report Get-MailDetailReport
MailDetailDlpPolicy report Get-MailDetailDlpPolicyReport
MailDetailMalware report Get-MailDetailMalwareReport
MailDetailSpam report Get-MailDetailSpamReport
MailDetailTransportRule report Get-MailDetailTransportRuleReport
MailFilterList report Get-MailFilterListReport
MailTraffic report Get-MailTrafficReport
MailTrafficPolicy report Get-MailTrafficPolicyReport
MailTrafficSummary reports Get-MailTrafficSummaryReport
MailTrafficTop report Get-MailTrafficTopReport
MessageTrace report Get-MessageTrace
MessageTraceDetail report Get-MessageTraceDetail
MxRecordReport report Get-MxRecordReport
OutboundConnectorReport report Get-OutboundConnectorReport
ServiceDeliveryReport report Get-ServiceDeliveryReport
StaleMailbox report Get-StaleMailboxReport
StaleMailboxDetail report Get-StaleMailboxDetailReport

16. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 5 – Reporting Web Service
• Mx record report
• Outbound connector report
• Mail traffic summary report
• Stale mailbox detail report
• Connection by client type report
• Av conference time report

17. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Security & Compliance Center
• Intended to be single portal for all Security & Compliance
administration needs
• Work in progress

18. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 6 – Security & Compliance Center
• Separate PowerShell connection
• Available commands
• Reports
• Compliance Search

19. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Accessing GUI Mailbox Audit Reports
• EAC > Compliance Management > Auditing
• Office 365 Compliance Center

20. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 7 – Office 365 GUI reports

21. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Summary
• PowerShell is the best native way to get information out of Office 365
auditing and reporting
• Office 365 canned reports are not currently very flexible
• PowerShell reports may not be acceptable for management

22. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Q&A

23. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Thank You
www.enowsoftware.com