Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Mailbox Auditing Bypass Check [CHK-1055]

This check verifies if there are mailboxes for which audit logging is being bypassed.

Rationale

Audit logging is crucial for identifying malicious activity. If it's deliberately disabled, it may indicate an attacker trying to erase their traces.

Fix

An automated fix is available through Attic.

Manual steps:

  1. Connect to Exchange Online via Connect-ExchangeOnline.
  2. Run the following command: 
Get-MailboxAuditBypassAssociation -ResultSize Unlimited |  where {$_.AuditBypassEnabled -eq $true} | Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false

Impact

Disabling the bypass of audit logging for the mailbox(es) ensures that all user activities are logged, enhancing security.

More Information

The check has two possible outcomes:

  • Okay: There are no mailboxes in the tenant for which audit logging is being bypassed.
  • Warning: Audit logging is being bypassed for at least one of the mailboxes.

If the output is Warning, we advise disabling the bypass of audit logging for the mailbox(es) in question.