SOLVED
Home

Elevation of Exchange admin privilege Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-181214%22%20slang%3D%22en-US%22%3EElevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181214%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20else%20get%20these%20alerts%3F%26nbsp%3B%20From%20what%20I%20have%20been%20able%20to%20gather%20thus%20far%2C%20this%20BOXServiceAccount%20is%20used%20by%20Microsoft%20for%20management%20of%20the%20mailboxes%20and%20exchange%20servers.%26nbsp%3B%20What%20I%20haven't%20figured%20out%20is%20whether%20I%20should%20be%20concerned%20about%20these%20or%20what%20it%20means%20for%20our%20security%20footprint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20low-severity%20alert%20has%20been%20triggered%3C%2FP%3E%3CP%3E%3CSPAN%3EElevation%20of%20Exchange%20admin%20privilege%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESeverity%3A%3C%2FSPAN%3E%20%3CSPAN%3E%E2%80%94%20%3C%2FSPAN%3E%20%3CSPAN%3ELow%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETime%3A%3C%2FSPAN%3E%20%3CSPAN%3E4%2F10%2F2018%201%3A26%3A11%20PM%20(UTC)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EActivity%3A%3C%2FSPAN%3E%20%3CSPAN%3EGrantAdminPermission%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EUser%3A%3C%2FSPAN%3E%20%3CSPAN%3E%3CA%20href%3D%22mailto%3ABOXServiceAccount%40namprd05.prod.outlook.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBOXServiceAccount%40namprd05.prod.outlook.com%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDetails%3A%20%3C%2FSPAN%3E%3CSPAN%3EGrantAdminPermission.%20This%20alert%20is%20triggered%20whenever%20someone%20in%20your%20organization%20becomes%20an%20admin%20or%20gets%20new%20admin%20permissions.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-181214%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-244928%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-244928%22%20slang%3D%22en-US%22%3E%3CP%3EYour%20answer%20is%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4039823%2Fboxserviceaccount-is-added-to-a-role-in-office-365-alerts%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4039823%2Fboxserviceaccount-is-added-to-a-role-in-office-365-alerts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182902%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182902%22%20slang%3D%22en-US%22%3EI%20opened%20a%20support%20case%2C%20and%20was%20basically%20told%20it%20was%20safe%20to%20ignore%20since%20it%20is%20a%20back-end%20process.%20Unfortunately%20no%20additional%20details.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181328%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181328%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20looks%20like%20some%20server%20workflow%2C%20I'm%20almost%20certain%20we%20should%20not%20be%20getting%20such%20events.%20Reports%20it%20on%20the%20UPP%20network%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1003005%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1003005%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2628%22%20target%3D%22_blank%22%3E%40Adrian%20Hyde%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22arial%20black%2Cavant%20garde%22%3EDo%20you%20get%20any%20ideas%20about%20this%20at%20that%20time%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22arial%20black%2Cavant%20garde%22%3EI%20already%20configured%20this%20privilege%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESeverity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ELow%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3ETime%20Nov%2012%2C%202019%2012%3A15%3A00%20PM%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3EActivity%20Granted%20Exchange%20admin%20permission%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3EActivity%20count%201%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%20ng-binding%20with-help-bubble%22%3E%3CDIV%20class%3D%22helpBubbleEnabled%20helpBubble%20ng-scope%22%3E%3CSPAN%3EDetails%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-9%22%3E%3CDIV%20class%3D%22marginBottom10%20ng-binding%22%3EThis%20alert%20is%20triggered%20when%20someone%20in%20your%20organization%20becomes%20an%20Exchange%20admin%20or%20gets%20new%20Exchange%20admin%20permissions%20-V1.0.0.1%3C%2FDIV%3E%3CDIV%20class%3D%22alertEntityList%22%3E%3CDIV%20class%3D%22%22%3EBy%20the%20time%20this%20alert%20was%20triggered%2C%3C%2FDIV%3E%3CDIV%20class%3D%22marginBottom10%20paddingRight10%20ng-scope%22%3E%3CSPAN%20class%3D%22ng-binding%22%3Eemail%20is%20hidden%20performed%20Granted%20Exchange%20admin%20permission%201%20time%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Adrian Hyde
Regular Contributor

Does anyone else get these alerts?  From what I have been able to gather thus far, this BOXServiceAccount is used by Microsoft for management of the mailboxes and exchange servers.  What I haven't figured out is whether I should be concerned about these or what it means for our security footprint.

 

A low-severity alert has been triggered

Elevation of Exchange admin privilege

Severity: — Low

Time: 4/10/2018 1:26:11 PM (UTC)

Activity: GrantAdminPermission

User: BOXServiceAccount@namprd05.prod.outlook.com

Details: GrantAdminPermission. This alert is triggered whenever someone in your organization becomes an admin or gets new admin permissions.

4 Replies

It looks like some server workflow, I'm almost certain we should not be getting such events. Reports it on the UPP network?

Solution
I opened a support case, and was basically told it was safe to ignore since it is a back-end process. Unfortunately no additional details.

@Adrian Hyde 

 

Do you get any ideas about this at that time?

I already configured this privilege?

 

 

Severity  Low

Time Nov 12, 2019 12:15:00 PM
Activity Granted Exchange admin permission
Activity count 1 
Details
This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1
By the time this alert was triggered,
email is hidden performed Granted Exchange admin permission 1 time
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies