Copilot for Microsoft 365 Tech Accelerator
Feb 28 2024 07:00 AM - Feb 29 2024 10:30 AM (PST)
Microsoft Tech Community

Protect confidential mailbox - Alert setting

Copper Contributor

Global Administrator can gain access to big boss mailbox by granting himself access to the mailbox or create email forwarding rule.

  1. One way to address this is to have security alert setting to notify a third party when such access delegation or email forwarding rule is done – Is this possible?
  2. The administrator can disable the security alert setting. Is there a way to have an alert that any security alert setting has been modified?

Thanks.

4 Replies
Alerts hardly address anything, they're reactive. Then again, *nothing* you configure in O365 cannot prevent a GA that knows what he's doing from performing any task. If you assign someone as GA, you better be willing to take the risk and consequences.
Anyway, there are few ways to address this. First, you can create "exclusive" management scope, so that only certain people can ever make changes to a "big boss" mailbox: https://docs.microsoft.com/en-us/exchange/understanding-exclusive-scopes-exchange-2013-help
Alternatively, take a look at the Privileged Access Management functionality: https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-overview?view...
PIM for the win.

@Vasil Michev 

 

Thanks for the advice on exclusive scope & privileged access.

 

The concern will still be there with this approach – GA can change the exclusive role assignment.

The ideal this that whenever GA changes any of such settings like modifying existing alert, or granting himself access to the mailbox, or creating the forwarding rule, there should be an alert email to a third party.

 

Is it possible to have the alert email (sent to the existing third party before the modification) when GA modify the existing alert?

 

Thanks.

GA can change anything, including disabling those alerts you want so badly :) And again, alerts are reactive, and even worse - fire with huge delays (read hours). But if you think that's the way to go, you can export the unified audit log data to external system and configure alerts there.