SOLVED
Home

Elevation of Exchange admin privilege Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-181214%22%20slang%3D%22en-US%22%3EElevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181214%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20else%20get%20these%20alerts%3F%26nbsp%3B%20From%20what%20I%20have%20been%20able%20to%20gather%20thus%20far%2C%20this%20BOXServiceAccount%20is%20used%20by%20Microsoft%20for%20management%20of%20the%20mailboxes%20and%20exchange%20servers.%26nbsp%3B%20What%20I%20haven't%20figured%20out%20is%20whether%20I%20should%20be%20concerned%20about%20these%20or%20what%20it%20means%20for%20our%20security%20footprint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20low-severity%20alert%20has%20been%20triggered%3C%2FP%3E%3CP%3E%3CSPAN%3EElevation%20of%20Exchange%20admin%20privilege%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESeverity%3A%3C%2FSPAN%3E%20%3CSPAN%3E%E2%80%94%20%3C%2FSPAN%3E%20%3CSPAN%3ELow%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETime%3A%3C%2FSPAN%3E%20%3CSPAN%3E4%2F10%2F2018%201%3A26%3A11%20PM%20(UTC)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EActivity%3A%3C%2FSPAN%3E%20%3CSPAN%3EGrantAdminPermission%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EUser%3A%3C%2FSPAN%3E%20%3CSPAN%3E%3CA%20href%3D%22mailto%3ABOXServiceAccount%40namprd05.prod.outlook.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBOXServiceAccount%40namprd05.prod.outlook.com%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDetails%3A%20%3C%2FSPAN%3E%3CSPAN%3EGrantAdminPermission.%20This%20alert%20is%20triggered%20whenever%20someone%20in%20your%20organization%20becomes%20an%20admin%20or%20gets%20new%20admin%20permissions.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-181214%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-244928%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-244928%22%20slang%3D%22en-US%22%3E%3CP%3EYour%20answer%20is%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4039823%2Fboxserviceaccount-is-added-to-a-role-in-office-365-alerts%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4039823%2Fboxserviceaccount-is-added-to-a-role-in-office-365-alerts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182902%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182902%22%20slang%3D%22en-US%22%3EI%20opened%20a%20support%20case%2C%20and%20was%20basically%20told%20it%20was%20safe%20to%20ignore%20since%20it%20is%20a%20back-end%20process.%20Unfortunately%20no%20additional%20details.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181328%22%20slang%3D%22en-US%22%3ERe%3A%20Elevation%20of%20Exchange%20admin%20privilege%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181328%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20looks%20like%20some%20server%20workflow%2C%20I'm%20almost%20certain%20we%20should%20not%20be%20getting%20such%20events.%20Reports%20it%20on%20the%20UPP%20network%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adrian Hyde
Regular Contributor

Does anyone else get these alerts?  From what I have been able to gather thus far, this BOXServiceAccount is used by Microsoft for management of the mailboxes and exchange servers.  What I haven't figured out is whether I should be concerned about these or what it means for our security footprint.

 

A low-severity alert has been triggered

Elevation of Exchange admin privilege

Severity: — Low

Time: 4/10/2018 1:26:11 PM (UTC)

Activity: GrantAdminPermission

User: BOXServiceAccount@namprd05.prod.outlook.com

Details: GrantAdminPermission. This alert is triggered whenever someone in your organization becomes an admin or gets new admin permissions.

3 Replies

It looks like some server workflow, I'm almost certain we should not be getting such events. Reports it on the UPP network?

Solution
I opened a support case, and was basically told it was safe to ignore since it is a back-end process. Unfortunately no additional details.
Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
202 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies