Forum Discussion

Copper Contributor

Nov 21, 2021

Protect confidential mailbox - Alert setting

Global Administrator can gain access to big boss mailbox by granting himself access to the mailbox or create email forwarding rule. One way to address this is to have security alert setting to noti...

MVP

Nov 21, 2021

Alerts hardly address anything, they're reactive. Then again, *nothing* you configure in O365 cannot prevent a GA that knows what he's doing from performing any task. If you assign someone as GA, you better be willing to take the risk and consequences.
Anyway, there are few ways to address this. First, you can create "exclusive" management scope, so that only certain people can ever make changes to a "big boss" mailbox: https://docs.microsoft.com/en-us/exchange/understanding-exclusive-scopes-exchange-2013-help
Alternatively, take a look at the Privileged Access Management functionality: https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-overview?view=o365-worldwide

KokSoon
Copper Contributor
Nov 22, 2021
VasilMichev

Thanks for the advice on exclusive scope & privileged access.

The concern will still be there with this approach – GA can change the exclusive role assignment.
The ideal this that whenever GA changes any of such settings like modifying existing alert, or granting himself access to the mailbox, or creating the forwarding rule, there should be an alert email to a third party.

Is it possible to have the alert email (sent to the existing third party before the modification) when GA modify the existing alert?

Thanks.
- VasilMichev
  MVP
  Nov 22, 2021
  GA can change anything, including disabling those alerts you want so badly 🙂 And again, alerts are reactive, and even worse - fire with huge delays (read hours). But if you think that's the way to go, you can export the unified audit log data to external system and configure alerts there.
ChristianJBergstrom
MVP
Nov 21, 2021
PIM for the win.