Skip to content

Connector Overview

Access to Exchange Online is based on Microsoft Exchange Online PowerShell API capabilities.

Audit types include:

  • Mailbox Access Audit
    • Administrators who access other users’ mailboxes
    • Users who access other users’ mailboxes as delegates
  • Administrator Audit PowerShell Cmdlets
    • Every Set-* PowerShell cmdlet is audited

Capabilities

This connector enables you to use Data Access Security to access and analyze data stored in Exchange Online and do the following:

  • Analyze the structure of your stored data.
  • Monitor user activity in the resources.
  • Classify the data being stored.
  • Verify user permissions on the resources, and compare them against requirements.
  • Manage access fulfillment – automated granting and revoking of access – according to rules set in Data Access Security.
  • Identity collector – collect IAM users, groups, and roles and the connections between them.

See the Data Access Security documentation for a full description.

Exchange Online Connector OAuth 2.0 Support

The connector uses fully Modern Authentication methods, and does not require Legacy Authentication methods be enabled, tenant-wide, or otherwise.

Permissions Collection Operation Principle

The File Access Manager Connector connects using the PowerShell interface and analyzes mailboxes, folders, public folders, and their permissions.

Mailbox Audit

  1. Mailbox audit events are assigned to the relevant mailbox business resource.
  2. The list of monitored mailbox types can be found in the BAMFramework.exe.config file under the recipientTypeDetailsToMonitor setting.

By default, the following types are defined and monitored:

  • UserMailbox
  • SharedMailbox

Monitored Activities

Action Description Admin Delegate Owner
Copy An item is copied to another folder. Yes Yes No
Create An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited. Yes Yes Yes
FolderBind A mailbox folder is accessed. Yes Yes No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes Yes Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes Yes Yes
SendAs A message is sent using Send As permissions. Yes Yes N/A
SendOnBehalf A message is sent using Send on Behalf permissions. Yes Yes N/A
SoftDelete An item is deleted from the Deleted Items folder. Yes Yes Yes
Update An item's properties are updated. Yes Yes Yes

Admin Audit Events (Administrator Audit Logging)

File Access Manager features the following Admin audit events:

  • General Admin audit events are assigned to a special resource (Audit Admin).
  • Admin audit events that relate to a specific mailbox are assigned to the mailbox business resource.

The list of commands can be found in the framework configuration file in the mailboxAuditLogCmdLets setting.

  • For Exchange: The config file is WBX.Exchange2010BAMHost.dll.config
  • For Exchange Online: The config file is WBX.ExchangeOnlineBAMHost.dll.config

By default, the following are defined as mailbox commands:

  • Remove-Mailbox
  • New-Mailbox
  • Set-Mailbox
  • Add-MailboxPermission
  • Remove-MailboxPermission
  • Set-MailboxAutoReplyConfiguration

Admin audit events related to a specific mailbox folder are assigned to the mailbox folder business resource.
The list of commands can be found in the BAMFramework.exe.config file in the mailboxFolderAuditLogCmdLets setting.
By default, the following are defined as mailbox folder commands:

  • Add-MailboxFolderPermission
  • Remove-MailboxFolderPermission
  • Set-MailboxFolderPermission

Admin audit events related to a specific public folder are assigned to the public folder business resource.
The list of commands can be found in the BAMFramework.exe.config file in the publicFolderAuditLogCmdLets setting.
By default, the following commands are defined as public folder commands:

  • Add-PublicFolderClientPermission
  • Remove-PublicFolderClientPermission
  • New-PublicFolder
  • Remove-PublicFolder
  • Add-PublicFolderAdministrativePermission
  • Remove-PublicFolderAdministrativePermission

Exchange Online Connector Installation Flow Overview

To install the Exchange Online connector:

  1. Configure all the prerequisites.
  2. Add a new Exchange Online application.
  3. Install the relevant services:
    • Activity Monitor

Note

Exchange Online currently does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.