General Introduction
AuditBypassEnabled is a parameter present in the Get-MailboxAuditBypassAssociation and Set-MailboxAuditBypassAssociation, present in both Exchange and Exchange Online. When it’s set to true, it configures a mailbox logging to be bypassed, leaving no log of this user accessing its mailbox or any other mailbox it has access to.
While this might have made sense in some cases in an Exchange on-premises environment, in Exchange Online it’s mostly only a risk and I’m yet to see any real use case for it. Even if you log an application accessing its mailbox, this should not cause any issues to the system. While these types of logs might not be frequently accessed, it’s always better to have them.
How to audit
To check if any mailboxes in your environment are enabled for AuditBypassEnabled, you can use this script. Only issue is, it’ll output the name of the mailbox.
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"
# Get all mailboxes with AuditBypassEnabled set to true
Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled
If you prefer to get the primary SMTP address for the mailboxes configured with AuditBypassEnabled set to true, you’ll have to cycle through all the mailboxes:
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"
# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited
# Get all mailboxes with AuditBypassEnabled set to true
foreach ($mailbox in $mailboxes) {
$auditBypass = Get-MailboxAuditBypassAssociation -Identity $mailbox.Identity
if ($auditBypass.AuditBypassEnabled -eq $true) {
Write-Output ("Mailbox: " + $mailbox.PrimarySmtpAddress + ", AuditBypassEnabled: " + $auditBypass.AuditBypassEnabled)
}
}
How to disable
To disable AuditBypassEnabled for all the mailboxes, you’ll have to set AuditBypassEnabled to false. This script will do just that.
# Get all mailboxes with AuditBypassEnabled set to true
$mailboxesWithAuditBypass = Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true}
# Loop through each mailbox and disable AuditBypass
foreach ($mailbox in $mailboxesWithAuditBypass ) {
Set-MailboxAuditBypassAssociation -Identity $mailbox.Identity -AuditBypassEnabled $false
}
https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide