Microsoft Security & Compliance center with Microsoft Secure Score has a long list of good, excellent and non-relevant security advises. Sometimes they seem a bit incompatible together...
Consider a situation where these are already done:
- Enable MFA for Azure AD privileged roles
- Enable MFA for (all) users
Then: Enable mailbox auditing for all users
using O365-InvestigationTooling / EnableMailboxAuditing.ps1:
#This script will enable non-owner mailbox access auditing on every mailbox in your tenancy
#First, let's get us a cred!
$userCredential = Get-Credential
#This gets us connected to an Exchange remote powershell service
$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange `
-ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $userCredential -Authentication Basic -AllowRedirection
Import-PSSession $ExoSession
#Enable global audit logging
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" `
-or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails `
-eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} `
| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, `
MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, `
UpdateFolderPermission -AuditDelegate Update, SoftDelete, HardDelete, SendAs, `
Create, UpdateFolderPermissions, MoveToDeletedItems, SendOnBehalf `
-AuditOwner UpdateFolderPermission, MailboxLogin, Create, `
SoftDelete, HardDelete, Update, MoveToDeletedItems
#Double-Check It!
Get-Mailbox -ResultSize Unlimited `
| Select Name, AuditEnabled, AuditLogAgeLimit `
| Out-Gridview
However, New-PSSession fails with a Global Administrator account:
New-PSSession : [outlook.office365.com] Connecting to remote server
outlook.office365.com failed with the following error message :
Access is denied.
I believe this is because the Get-Credential or New-PSSession doesn't support MFA. The documentation for AuthenticationMechanism Enum doesn't seem to have such an authentication: changing Basic to Default doesn't help. Am I wrong?
Is there any other way for enabling mailbox access auditing for all users / checking its status?
I was correct that the culprit was MFA alone. I temporarily disabled MFA for a Global Administrator account and the script worked fine. After all, you only need to do this once, or maybe occasionally just to update it for new mailboxes. Disabling & enabling MFA happens immediately, and for maximum (i.e. tin foil hat) security you can even change the password right before running the script.
UPDATE: An App Password works, too! I'm not sure if that's really a secure choice from Microsoft, considering the information you could gain and the settings you could alter, totally skipping the MFA.
Old post but to use powershell supporting MFA & Modern Authentication, you need to use the Microsoft Exchange Online Powershell Module - this can be downloaded from the "hybrid" section of the exchange online admin centre
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps