How much is the is the value LastLogonTime for a maibox worth?

Comments

12 comments

  • Avatar
    Tatiana Golubovich

    Hi Miklas, 

    You can use the Office 365 Service Adoption dashboard to get the report when the users last used their mailboxes. This dashboard is based on data exactly from audit logs:

    Before using this dashboard:

    1. At first, you must enable audit logging in the Office 365 portal. Here is the KB with the instruction: https://support.cayosoft.com/hc/en-us/articles/360002137911 .
    2. Navigate to HOME > RULES > Built-in Rules (Pre-configured) > Analytics collection runbook and run it 

    Also, you could try to use this rule: Office 365 Users | License Plan Cost Analysis User. This rule is used for Office 365 cost analysis but you can filter users by using Exchange online service: filter users by Service Use - set Exchange Online to Active, all other services to skip. This rule also requires audit logging and analytics collection runbook enabled.

     

     

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi, Tatiana!

    Thanks a lot for your answer.

    That's strange because the date in the Exchange column in our Dashboard exactly correlates with the values in Last Logon for the mailbox. With other words useless data for us.

    This rule - Office 365 Users | License Plan Cost Analysis by User - gives me no hits at all when I click preview in the rule.

    I also tried this rule - Office 365 User License Service Use - as it says that it uses data created by Analytics collection Runbook and Office 365 Auditing. But it also seems to be the value from Last Logon from the mailbox.

    The mailbox auditing was already enabled for everyone but I extended the settings with these operations (HardDelete,MailboxLogin,MoveToDeletedItems,Create,Move,Update) for both Owner and Delegate.

    Here is an example. Tina Jansson hasn't logged in for a very long time, that we know for sure. At least 150 days.

    Dashboard:

    Exchange Online:

    The result from rule - Office 365 User License Service Use:

    Security & Compliance - Audit Log Search:

    The Audit Log Search in Office 365 shows No Data Available for her which seems right.


    This is a mystery to me.


    Best regards

    Niklas Myrnäs

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi

    Any answers to this?

    Best regards

    NIklas

    0
    Comment actions Permalink
  • Avatar
    Tatiana Golubovich

    Hi Niklas, 

    Let's try to figure it out together.

    Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online will be logged. Please, see this article Search the audit log in the Office 365 Security & Compliance Center.

    1. Could you check if mailbox auditing on by default is turned on for your organization? You will be requested credentials for Exchange Online: 

    $credential = (Get-Credential)
    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
    Import-PSSession $exchangeSession -DisableNameChecking

    Get-OrganizationConfig | FL AuditDisabled

    A value of False indicates that mailbox auditing on by default is enabled for your organization.

    2. Please, paste the screenshot from Office 365 Security & compliance > Audit Log search for Tina Jansson.

     

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi

    Here is the result from the PS script.

    AuditDisabled : False


    Screenshot:


    Thanks for your help with this.

    Best regards

    Niklas

    0
    Comment actions Permalink
  • Avatar
    Tatiana Golubovich

    Ok, thank you.

    Now let's check if the default mailbox actions are being logged for this user: Get-Mailbox <username> | FL DefaultAuditSet

    https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing#verify-that-default-mailbox-actions-are-being-logged-for-each-logon-type: "A value of Admin, Delegate, Owner indicates that the default mailbox actions for all three logon types are being audited and that an administrator in your organization has not changed the actions for any logon type. Note this is the default state after mailbox auditing on by default is initially turned on in your organization."

    Please, paste the screenshot with the result.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi!

    This is strange. I get this result --> DefaultAuditSet : {}

    Eventhough I ran this rule.


    /Niklas

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Get-Mailbox shows this



    /Niklas

    0
    Comment actions Permalink
  • Avatar
    Tatiana Golubovich

    Niklas, thanks for the info. I will contact our dev and come back to you as soon as I get smth new.

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Great!

    Thanks again

    Here is what the dashboard shows for Tina right now.

    /Niklas

    0
    Comment actions Permalink
  • Avatar
    Andrey Polevoy

    Hello, Niklas

    I wanted to share some future plans with you.

    Cayosoft Administrator is presenting the information as it is available in the Microsoft API. This product is designed for day-to-day administration and that's where we develop the expertise here.

    It is clear that revealing an ultimate timestamp on mailbox access by the user himself, and ignoring any other system-related access events, require research and different kind of expertise. And we believe, it requires a different kind of a product.

    We are looking into the possibility to add another product later this year or earlier next year. That product would be focused on collecting and analyzing the various source of user-related information and events.

    That's where we would be able to provide an asnwer to questions like you posted at the beggining of this thread:
    "We would like to have a report with all our mailboxes showing the Last Login Times for the mailbox owners. That doesn't seem possible with this method. At least not with a reliable result."

    0
    Comment actions Permalink
  • Avatar
    Permanently deleted user

    Hi, Andrey!

    So what you are saying is that, for example, the rules Office 365 User License Service Use, Office 365 Users Inactive, Office 365 Users Last Logon and the Office 365 Service Adoption view in the Dashboard isn't usable as Microsoft has messed around with certain attributes in Active Directory, Azure Active Directory and Exchange Online? Are you also saying that the actual Microsoft mailbox audit logs aren't trustworthy enough to check mailbox owner actions? Let's say last login as for example an action done by an InboxRule, created by the owner, is treated as an action done by the owner itself?

    Best regards

    Niklas

    0
    Comment actions Permalink

Please sign in to leave a comment.