How much is the is the value LastLogonTime for a maibox worth?
Hi
Not so much after reading the article "in" the link.
https://www.petri.com/get-mailboxstatistics-cmdlet-wrong
I may, of course, have misunderstood everything as I'm not a very skilled hybrid admin. Then please explain this Get-MailboxStatistics Cmdlet LastLogonTime phenomenon to me.
Our problem:
I created an Office 365 Users Last Logon rule and we immediately saw strange things in the result. One example, the LastLogonTime value on a mailbox showed the date and time for the same day as I ran the rule and we for certain know that this mailbox owner doesn't work for our company anymore. Another example is the one shown in the picture below. How likely is it that those users in the Netherlands arrived to work and accesses their mailboxes in that tight time span? Some in the same second.
We would like to have a report with all our mailboxes showing the Last Login Times for the mailbox owners. That doesn't seem possible with this method. At least not with a reliable result.
So now to my question; Can Cayosoft Administrator access the mailbox audit logs and create reports from that data? In those logs, as you of course already know, you can track owner and delegate access to a mailbox.
Best regards
Niklas Myrnäs
-
Hi Miklas,
You can use the Office 365 Service Adoption dashboard to get the report when the users last used their mailboxes. This dashboard is based on data exactly from audit logs:
Before using this dashboard:
- At first, you must enable audit logging in the Office 365 portal. Here is the KB with the instruction: https://support.cayosoft.com/hc/en-us/articles/360002137911 .
- Navigate to HOME > RULES > Built-in Rules (Pre-configured) > Analytics collection runbook and run it
Also, you could try to use this rule: Office 365 Users | License Plan Cost Analysis User. This rule is used for Office 365 cost analysis but you can filter users by using Exchange online service: filter users by Service Use - set Exchange Online to Active, all other services to skip. This rule also requires audit logging and analytics collection runbook enabled.
-
Hi, Tatiana!
Thanks a lot for your answer.That's strange because the date in the Exchange column in our Dashboard exactly correlates with the values in Last Logon for the mailbox. With other words useless data for us.
This rule - Office 365 Users | License Plan Cost Analysis by User - gives me no hits at all when I click preview in the rule.
I also tried this rule - Office 365 User License Service Use - as it says that it uses data created by Analytics collection Runbook and Office 365 Auditing. But it also seems to be the value from Last Logon from the mailbox.
The mailbox auditing was already enabled for everyone but I extended the settings with these operations (HardDelete,MailboxLogin,MoveToDeletedItems,Create,Move,Update) for both Owner and Delegate.
Here is an example. Tina Jansson hasn't logged in for a very long time, that we know for sure. At least 150 days.
Dashboard:
Exchange Online:
The result from rule - Office 365 User License Service Use:
Security & Compliance - Audit Log Search:
The Audit Log Search in Office 365 shows No Data Available for her which seems right.
This is a mystery to me.
Best regardsNiklas Myrnäs
-
Hi Niklas,
Let's try to figure it out together.
Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online will be logged. Please, see this article Search the audit log in the Office 365 Security & Compliance Center.
1. Could you check if mailbox auditing on by default is turned on for your organization? You will be requested credentials for Exchange Online:
$credential = (Get-Credential)
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameCheckingGet-OrganizationConfig | FL AuditDisabled
A value of False indicates that mailbox auditing on by default is enabled for your organization.
2. Please, paste the screenshot from Office 365 Security & compliance > Audit Log search for Tina Jansson.
-
Ok, thank you.
Now let's check if the default mailbox actions are being logged for this user: Get-Mailbox <username> | FL DefaultAuditSet
https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing#verify-that-default-mailbox-actions-are-being-logged-for-each-logon-type: "A value of
Admin, Delegate, Ownerindicates that the default mailbox actions for all three logon types are being audited and that an administrator in your organization has not changed the actions for any logon type. Note this is the default state after mailbox auditing on by default is initially turned on in your organization."Please, paste the screenshot with the result.
-
Hello, Niklas
I wanted to share some future plans with you.
Cayosoft Administrator is presenting the information as it is available in the Microsoft API. This product is designed for day-to-day administration and that's where we develop the expertise here.
It is clear that revealing an ultimate timestamp on mailbox access by the user himself, and ignoring any other system-related access events, require research and different kind of expertise. And we believe, it requires a different kind of a product.
We are looking into the possibility to add another product later this year or earlier next year. That product would be focused on collecting and analyzing the various source of user-related information and events.
That's where we would be able to provide an asnwer to questions like you posted at the beggining of this thread:
"We would like to have a report with all our mailboxes showing the Last Login Times for the mailbox owners. That doesn't seem possible with this method. At least not with a reliable result." -
Hi, Andrey!
So what you are saying is that, for example, the rules Office 365 User License Service Use, Office 365 Users Inactive, Office 365 Users Last Logon and the Office 365 Service Adoption view in the Dashboard isn't usable as Microsoft has messed around with certain attributes in Active Directory, Azure Active Directory and Exchange Online? Are you also saying that the actual Microsoft mailbox audit logs aren't trustworthy enough to check mailbox owner actions? Let's say last login as for example an action done by an InboxRule, created by the owner, is treated as an action done by the owner itself?
Best regards
Niklas
Please sign in to leave a comment.
Comments
12 comments