Monitor Office 365 Security Breaches to Fix internal threats

Monitor Office 365 Security Breaches To Fix Internal Threats

Most of Office 365 security breaches happen due to internal violation of policies and guidelines of the organization and the inability of administrators to constantly monitor such threats. There are several different areas in Office 365 where internal threats are likely to surface and cause potential security vulnerabilities. Security issues in Office 365 may arise due to group memberships, distribution group membership, sharing of mailboxes and Public Folders, inappropriate permissions such as full Access permissions to a mailbox. Many of these and more may cause a security breach in Office 365.

Let us discuss how to regularly monitor some of these using the Office 365 portal.

How to monitor Group and Distribution Group Memberships in Office 365 using PowerShell or the Office 365 Admin center?

A User can be assigned as a member of one or more groups or distribution groups. When a user is moved to a different department or when there is a suspected security breach due to a user who is a member of some group, administrators must effectively monitor all group memberships for the user to prevent unauthorized access to other information assets.

Perform the following steps to view group member’s information in Office 365:
1. Logon to the Office 365 Admin Center
Office 365 admin center

2. In the left navigation pane, click Groups > Groups

groups

3. Select a Group

4. In the details pane at the right of the screen, next to Members, click Edit Exchange Settings

groups detail pane

5. Click on Edit Exchange Settings, Exchange properties will be displayed in the screen below.

edit exchange settings

Using PowerShell Command:

You can also use PowerShell command to view the group member’s information:

  1. Open Windows PowerShell as privileged user (Run as administrator) and run the following command and type your Office 365 admin user name and password, and then click OK.

$Cred = Get-credential

  1. Run the following two commands to connect to exchange online PowerShell session.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic –AllowRedirection

Import-PSSession $Session

  1. Finally, run the below command to view the group members information.

Get-DistributionGroupMember –Identity “All Employees”

view group members information

How to monitor Administration Roles in Office 365?

A User can be assigned multiple Administration roles. If you have a fairly large organization with multiple departments, you will most likely need to assign several users for Office 365 Administration roles. All delegated roles must be assigned or removed with proper audit trail allowing you track when changes were made. These Office 365 Administration roles also need to be audited regularly to verify if the assigned users and roles continue to be valid (for example, an assigned user may have left the organization or moved out of his functional role).

Perform the following steps to view users who have been assigned Administration Roles in Office 365:

  1. Logon to the Office 365 Admin Center
  2. In the left navigation pane, click Users > Active Users

office 365 active users

3. Choose the user whose administrator role you want to view.

4. In the details pane at the right of the screen, next to Roles, click Edit.

office 365 administrator roles detail pane

5. It will display the assigned administrator role for the selected user.

assigned admin roles of selected user

Using PowerShell Command:

You can also use PowerShell command to view the users who have been assigned Administration roles in Office 365:

  1. Open Windows PowerShell as privileged user (Run as administrator) and run the following command and type your Office 365 admin user name and password, and then click OK.

Connect-MsolService

  1. Run the below command to get role object id for the corresponding role name

Get-MsolRole –RoleName “Company Administrator”

  1. Run the below command to view the view role member’s information

Get-MsolRoleMember –RoleObjectId “62e90394-69f5-4237-9190-012177145e10”

view type of role for all members

How to monitor Mailbox Access in Office 365?

A User can be assigned Full Access, Send As and Send on Behalf permissions to another user’s mailbox. When mailboxes are given access to multiple users, it is important that the administrator can manage such mailbox permissions with full audit trail of when permissions were granted and revoked. This helps you to keep your Office 365 secure by documenting and understanding who has access to other user’s mailboxes. One of the most important responsibilities of an administrator from a security standpoint is to monitor all user accesses to Office 365 Mailboxes. It helps you to analyze the security implications of users’ access rights.

To find Office 365 users who have access to other user mailboxes:

  1. Logon to the Office 365 Admin Center
  2. In the left navigation pane, click Admin Centers > Exchange
  3. Click on Recipients > Mailboxes
  4. List of Mailboxes will be displayed

exchange admin center recipients

5. Select a Mailbox and click Edit, and then click on mailbox delegation

6. It will display the list of users who has access to the user’s mailbox.

mailbox delegation

How to monitor Shared Mailbox Access in Office 365?

A User can be assigned Full Access and Send As permissions to shared mailboxes. A shared mailbox is a mailbox that multiple users can use to read and send email messages. A Shared mailbox is more vulnerable to security breaches than a regular mailbox because a shared mailbox may get shared with increasing number of users over a period of time.

To find Office 365 users who has access to shared mailboxes:

  1. Logon to the Office 365 Admin Center
  2. In the left navigation pane, click Admin Centers > Exchange
  3. Click on Recipients > Shared
  4. List of Shared Mailboxes will be displayed

shared mailbox recipients

5. Select a Shared Mailbox and click Edit, and then click on mailbox delegation

6. It will display the list of users who has access to the shared mailbox.

shared mailbox delegation

How to monitor Public Folder Access?

Similar to shared mailboxes, multiple users are assigned permissions to Office 365 Public folders. Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share information with other people in your workgroup or organization. Administrators should closely monitor who has access to public folders to prevent unauthorized or unregulated access. This is particularly important because Public folder access rights can get messy over a period of time and poses a challenge when you specifically want to analyze a particular user’s access to different public folders.

To find the list of users who has access to the Office 365 public folder:

  1. Logon to the Office 365 Admin Center
  2. In the left navigation pane, click Admin Centers > Exchange
  3. Click on Public folders
  4. Select a folder and click Manage on the right pane

exchange admin center public folders

5. It will display the list of users who has access to the public folder.

6. Click Edit to view Public folder permissions

public folder permissions

Conclusion

The discussion emphasizes some of the specific areas in Office 365 that constantly pose internal security threats – that is, threats arising from inadvertent access rights granted to users without proper security guidelines and policies in place. Internal threats is an important challenge when you move to a cloud environment like Office 365. It requires diligence and proper tools to address these threats. While all these Office 365 internal threats may be monitored and managed using the Office 365 Admin Center or stitching together different PowerShell scripts, automated third party tools save you a lot of time and effort by providing sophisticated features to address such security issues. One such tool is the Vyapin Office 365 Management Suite. Download free trial now!