Connector Overview
Access to Exchange Online is based on Microsoft Exchange Online PowerShell API capabilities.
Audit types include:
- Mailbox Access Audit
- Administrators who access other users’ mailboxes
- Users who access other users’ mailboxes as delegates
- Administrator Audit PowerShell Cmdlets
- Every
Set-*PowerShell cmdlet is audited
- Every
Capabilities
This connector enables you to use Data Access Security to access and analyze data stored in Exchange Online and do the following:
- Analyze the structure of your stored data.
- Monitor user activity in the resources.
- Classify the data being stored.
- Verify user permissions on the resources, and compare them against requirements.
- Manage access fulfillment – automated granting and revoking of access – according to rules set in Data Access Security.
- Identity collector – collect IAM users, groups, and roles and the connections between them.
See the Data Access Security documentation for a full description.
Exchange Online Connector OAuth 2.0 Support
The connector uses fully Modern Authentication methods, and does not require Legacy Authentication methods be enabled, tenant-wide, or otherwise.
Permissions Collection Operation Principle
The File Access Manager Connector connects using the PowerShell interface and analyzes mailboxes, folders, public folders, and their permissions.
Mailbox Audit
- Mailbox audit events are assigned to the relevant mailbox business resource.
- The list of monitored mailbox types can be found in the
BAMFramework.exe.configfile under therecipientTypeDetailsToMonitorsetting.
By default, the following types are defined and monitored:
- UserMailbox
- SharedMailbox
Monitored Activities
| Action | Description | Admin | Delegate | Owner |
|---|---|---|---|---|
| Copy | An item is copied to another folder. | Yes | Yes | No |
| Create | An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited. | Yes | Yes | Yes |
| FolderBind | A mailbox folder is accessed. | Yes | Yes | No |
| HardDelete | An item is deleted permanently from the Recoverable Items folder. | Yes | Yes | Yes |
| MessageBind | An item is accessed in the reading pane or opened. | Yes | No | No |
| Move | An item is moved to another folder. | Yes | Yes | Yes |
| MoveToDeletedItems | An item is moved to the Deleted Items folder. | Yes | Yes | Yes |
| SendAs | A message is sent using Send As permissions. | Yes | Yes | N/A |
| SendOnBehalf | A message is sent using Send on Behalf permissions. | Yes | Yes | N/A |
| SoftDelete | An item is deleted from the Deleted Items folder. | Yes | Yes | Yes |
| Update | An item's properties are updated. | Yes | Yes | Yes |
Admin Audit Events (Administrator Audit Logging)
File Access Manager features the following Admin audit events:
- General Admin audit events are assigned to a special resource (Audit Admin).
- Admin audit events that relate to a specific mailbox are assigned to the mailbox business resource.
The list of commands can be found in the framework configuration file in the mailboxAuditLogCmdLets setting.
- For Exchange: The config file is
WBX.Exchange2010BAMHost.dll.config - For Exchange Online: The config file is
WBX.ExchangeOnlineBAMHost.dll.config
By default, the following are defined as mailbox commands:
Remove-MailboxNew-MailboxSet-MailboxAdd-MailboxPermissionRemove-MailboxPermissionSet-MailboxAutoReplyConfiguration
Admin audit events related to a specific mailbox folder are assigned to the mailbox folder business resource.
The list of commands can be found in the BAMFramework.exe.config file in the mailboxFolderAuditLogCmdLets setting.
By default, the following are defined as mailbox folder commands:
Add-MailboxFolderPermissionRemove-MailboxFolderPermissionSet-MailboxFolderPermission
Admin audit events related to a specific public folder are assigned to the public folder business resource.
The list of commands can be found in the BAMFramework.exe.config file in the publicFolderAuditLogCmdLets setting.
By default, the following commands are defined as public folder commands:
Add-PublicFolderClientPermissionRemove-PublicFolderClientPermissionNew-PublicFolderRemove-PublicFolderAdd-PublicFolderAdministrativePermissionRemove-PublicFolderAdministrativePermission
Exchange Online Connector Installation Flow Overview
To install the Exchange Online connector:
- Configure all the prerequisites.
- Add a new Exchange Online application.
- Install the relevant services:
- Activity Monitor
Note
Exchange Online currently does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.