Most of Office 365 security breaches happen due to internal violation of policies and guidelines of the organization and the inability of administrators to constantly monitor such threats. There are several different areas in Office 365 where internal threats are likely to surface and cause potential security vulnerabilities. Security issues in Office 365 may arise due to group memberships, distribution group membership, sharing of mailboxes and Public Folders, inappropriate permissions such as full Access permissions to a mailbox. Many of these and more may cause a security breach in Office 365.
Let us discuss how to regularly monitor some of these using the Office 365 portal.
- Group / Distribution Group Membership
- Administration Roles
- Mailbox Access
- Shared Mailbox Access
- Public Folder Access
How to monitor Group and Distribution Group Memberships in Office 365 using PowerShell or the Office 365 Admin center?
A User can be assigned as a member of one or more groups or distribution groups. When a user is moved to a different department or when there is a suspected security breach due to a user who is a member of some group, administrators must effectively monitor all group memberships for the user to prevent unauthorized access to other information assets.
Office 365 admin center
Perform the following steps to view group member’s information in Office 365:
1. Logon to the Office 365 Admin Center
2. In the left navigation pane, click Groups > Groups
3. Select a Group
4. In the details pane at the right of the screen, next to Members, click Edit Exchange Settings
5. Click on Edit Exchange Settings, Exchange properties will be displayed in the screen below.
Using PowerShell Command:
You can also use PowerShell command to view the group member’s information:
- Open Windows PowerShell as privileged user (Run as administrator) and run the following command and type your Office 365 admin user name and password, and then click OK.
$Cred = Get-credential
- Run the following two commands to connect to exchange online PowerShell session.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
- Finally, run the below command to view the group members information.
Get-DistributionGroupMember –Identity “All Employees”
How to monitor Administration Roles in Office 365?
A User can be assigned multiple Administration roles. If you have a fairly large organization with multiple departments, you will most likely need to assign several users for Office 365 Administration roles. All delegated roles must be assigned or removed with proper audit trail allowing you track when changes were made. These Office 365 Administration roles also need to be audited regularly to verify if the assigned users and roles continue to be valid (for example, an assigned user may have left the organization or moved out of his functional role).
Perform the following steps to view users who have been assigned Administration Roles in Office 365:
- Logon to the Office 365 Admin Center
- In the left navigation pane, click Users > Active Users
3. Choose the user whose administrator role you want to view.
4. In the details pane at the right of the screen, next to Roles, click Edit.
5. It will display the assigned administrator role for the selected user.
Using PowerShell Command:
You can also use PowerShell command to view the users who have been assigned Administration roles in Office 365:
- Open Windows PowerShell as privileged user (Run as administrator) and run the following command and type your Office 365 admin user name and password, and then click OK.
Connect-MsolService
- Run the below command to get role object id for the corresponding role name
Get-MsolRole –RoleName “Company Administrator”
- Run the below command to view the view role member’s information
Get-MsolRoleMember –RoleObjectId “62e90394-69f5-4237-9190-012177145e10”
How to monitor Mailbox Access in Office 365?
A User can be assigned Full Access, Send As and Send on Behalf permissions to another user’s mailbox. When mailboxes are given access to multiple users, it is important that the administrator can manage such mailbox permissions with full audit trail of when permissions were granted and revoked. This helps you to keep your Office 365 secure by documenting and understanding who has access to other user’s mailboxes. One of the most important responsibilities of an administrator from a security standpoint is to monitor all user accesses to Office 365 Mailboxes. It helps you to analyze the security implications of users’ access rights.
To find Office 365 users who have access to other user mailboxes:
- Logon to the Office 365 Admin Center
- In the left navigation pane, click Admin Centers > Exchange
- Click on Recipients > Mailboxes
- List of Mailboxes will be displayed
5. Select a Mailbox and click Edit, and then click on mailbox delegation
6. It will display the list of users who has access to the user’s mailbox.
How to monitor Shared Mailbox Access in Office 365?
A User can be assigned Full Access and Send As permissions to shared mailboxes. A shared mailbox is a mailbox that multiple users can use to read and send email messages. A Shared mailbox is more vulnerable to security breaches than a regular mailbox because a shared mailbox may get shared with increasing number of users over a period of time.
To find Office 365 users who has access to shared mailboxes:
- Logon to the Office 365 Admin Center
- In the left navigation pane, click Admin Centers > Exchange
- Click on Recipients > Shared
- List of Shared Mailboxes will be displayed
5. Select a Shared Mailbox and click Edit, and then click on mailbox delegation
6. It will display the list of users who has access to the shared mailbox.
How to monitor Public Folder Access?
Similar to shared mailboxes, multiple users are assigned permissions to Office 365 Public folders. Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share information with other people in your workgroup or organization. Administrators should closely monitor who has access to public folders to prevent unauthorized or unregulated access. This is particularly important because Public folder access rights can get messy over a period of time and poses a challenge when you specifically want to analyze a particular user’s access to different public folders.
To find the list of users who has access to the Office 365 public folder:
- Logon to the Office 365 Admin Center
- In the left navigation pane, click Admin Centers > Exchange
- Click on Public folders
- Select a folder and click Manage on the right pane
5. It will display the list of users who has access to the public folder.
6. Click Edit to view Public folder permissions
Conclusion
The discussion emphasizes some of the specific areas in Office 365 that constantly pose internal security threats – that is, threats arising from inadvertent access rights granted to users without proper security guidelines and policies in place. Internal threats is an important challenge when you move to a cloud environment like Office 365. It requires diligence and proper tools to address these threats.
While all these Office 365 internal threats may be monitored and managed using the Office 365 Admin Center or stitching together different PowerShell scripts, automated third party tools save you a lot of time and effort by providing sophisticated features to address such security issues. One such tool is the Vyapin Microsoft 365 Management Suite.
Download free trial version of Microsoft 365 Management tool Now!
