Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Alert policy - Add mailbox permission - No detailed alert.

Brass Contributor

Hi Community, 

 

I've created Alert policy that whenever someone get mailbox permissions added it should be notified to the Global administrator and it works. However, the alert doesn't have the detailed report of which is the user mailbox and who was added for mailbox permissions etc. We've just got the below alert report.

 

How to get the detailed alert saying which is the user mailbox and who was added for mailbox permissions etc. Any help would be much appreciated. 

 

A high-severity alert has been triggered

Add Mailbox Permission policy

Severity: High

Time: 6/28/2023 1:45:00 PM (UTC)

Activity: AddMailboxPermission

User: email address removed for privacy reasons

Details: AddMailboxPermission. This alert is triggered whenever someone gets access to read your user's email.

See details in the Microsoft 365 Security Center. 

3 Replies
Which product was that alert policy created in ? Was it an advanced hunting Custom Detection or was it a policy in Defender for Cloud Apps ?

Thank you for the response. 

I've created the alert policy as detailed in this post and getting the alert as per the screenshot I attached in my initial ask,  https://learn.microsoft.com/en-us/answers/questions/242472/alert-when-someone-is-granted-full-access...

 

However, the challenge is the alert doesn't help to understand whose  mailbox was given full access permission and who takes full access permissions and all.

 

Getting just the alert notification but it doesn't say the above details. Please help which alert policy helps us giving the detailed report.

 

Thanks!

@SB V 

When you click on the alert to view the details you should have a hyperlink named "View Activity List".

Screenshot 2023-09-28 at 20.44.00.png

When you click that, under the "Item" column is the name of the user whose mailbox was changed. Sometimes it won't show the name but the ID number instead. If this happens you have to copy the ID number and paste it into the user search of AAD (Entra) to see which user's mailbox it was.

Screenshot 2023-09-28 at 20.46.16.png

Hope that helps. It stumped me for a while as well.