Exchange Online

Azvise

Is “AuditBypassEnabled” active in your organization?


General Introduction

AuditBypassEnabled is a parameter present in the Get-MailboxAuditBypassAssociation and Set-MailboxAuditBypassAssociation, present in both Exchange and Exchange Online. When it’s set to true, it configures a mailbox logging to be bypassed, leaving no log of this user accessing its mailbox or any other mailbox it has access to.

While this might have made sense in some cases in an Exchange on-premises environment, in Exchange Online it’s mostly only a risk and I’m yet to see any real use case for it. Even if you log an application accessing its mailbox, this should not cause any issues to the system. While these types of logs might not be frequently accessed, it’s always better to have them.

How to audit

To check if any mailboxes in your environment are enabled for AuditBypassEnabled, you can use this script. Only issue is, it’ll output the name of the mailbox. 

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"

# Get all mailboxes with AuditBypassEnabled set to true
Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled


If you prefer to get the primary SMTP address for the mailboxes configured with AuditBypassEnabled set to true, you’ll have to cycle through all the mailboxes: 

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"

# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited

# Get all mailboxes with AuditBypassEnabled set to true
foreach ($mailbox in $mailboxes) {
    $auditBypass = Get-MailboxAuditBypassAssociation -Identity $mailbox.Identity	
     if ($auditBypass.AuditBypassEnabled -eq $true) {
        Write-Output ("Mailbox: " + $mailbox.PrimarySmtpAddress + ", AuditBypassEnabled: " + $auditBypass.AuditBypassEnabled)
    }
}

How to disable

To disable AuditBypassEnabled for all the mailboxes, you’ll have to set AuditBypassEnabled to false. This script will do just that. 

# Get all mailboxes with AuditBypassEnabled set to true
$mailboxesWithAuditBypass = Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true}

# Loop through each mailbox and disable AuditBypass
foreach ($mailbox in $mailboxesWithAuditBypass ) {
    Set-MailboxAuditBypassAssociation -Identity $mailbox.Identity -AuditBypassEnabled $false

}

https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide

Azvise

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook.

For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off.

To enable modern authentication for Exchange Online, follow these steps:

  • Let all the basic authentication protocols selected.
  • Click “Save“.

You should aim to disable all the basic authentication protocols as soon as possible.

To enable modern authentication on Outlook 2013, click on the following guide:

Enable Modern Authentication for Office 2013 on Windows devices