Conduct hands-on examination of organization and user level audit settings for Exchange Online mailboxes

[tkol2022]

💡 Summary

Perform hands-on tests of Exchange Online mailbox audit settings to understand how each configuration behaves in practice and the relationships between settings. There are numerous mailbox audit settings at both the organizational level and the user level and it is unclear how they behave in practice. The output of this investigation will produce test results that will inform new secure configuration policies for Exchange Online #1072.

The scope of this testing covers the following settings:

• Organization Level Setting: AuditDisabled
• User Level Setting: AuditEnabled
• User Level Setting: AuditBypassEnabled

Motivation and context

Without a hands-on test of all permutations of audit settings we won't know what the risks are and how to mitigate them with SCB policies.

Implementation notes

• Create a spreadsheet with every combination of the three audit settings listed above.
• Conduct a hands-on test of each combination and take note of how the system behaves in each state.
• Generate log events for each combination and then examine the logs to see if the expected events produced log entries. Take note in the spreadsheet.