Issues with Mailbox audit for users (Security Score)

%3CLINGO-SUB%20id%3D%22lingo-sub-64369%22%20slang%3D%22en-US%22%3EIssues%20with%20Mailbox%20audit%20for%20users%20(Security%20Score)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64369%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20else%20having%20issues%20with%20inaccuracies%20on%20this%3F%20It%20shows%20that%20we%20have%20213%20users%20and%20209%20have%20it%20enabled.%202%20were%20new%20users%2C%20but%20I%20cannot%20find%20the%20rest%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20using%3A%3C%2FP%3E%3CP%3EGet-Mailbox%20-Filter%20%7BAuditEnabled%20-eq%20%24false%7D%20%7C%20select%20UserPrincipalName%2Cauditenabled%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3EGet-Mailbox%20%7C%20select%20UserPrincipalName%2Cauditenabled%2CAuditDelegate%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3EGet-mailbox%20-Filter%20%7B(AuditEnabled%20-eq%20%24false)%7D%20%7C%20ForEach%20%7BSet-Mailbox%20%24_.Identity%20-AuditEnabled%20%24true%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20all%20come%20up%20with%20all%20users%20having%20auditenabled.%20Anyone%20have%20an%20idea%20as%20to%20how%20to%20find%20the%20remaining%202%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20it%20would%20be%20nice%20if%20you%20got%20partial%20credit%20on%20this!%20less%20than%201%25%20missing..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64641%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20with%20Mailbox%20audit%20for%20users%20(Security%20Score)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64641%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20dont%20expect%20secure%20score%20to%20immediately%20reflect%20on%20the%20changes%20you%20make.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64490%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20with%20Mailbox%20audit%20for%20users%20(Security%20Score)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64490%22%20slang%3D%22en-US%22%3E%3CP%3EI%20tried%20checking%20the%20different%20mailbox%20types%20and%20thought%20that%20was%20hopeful.%20I%20then%20realized%20I'd%20already%20taken%20care%20of%20all%20the%20shared%20mailboxes%20and%20they%20show%20as%20true%20on%20the%20auditenabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ran%20this%3A%3C%2FP%3E%3CP%3E(get-mailbox%20-filter%20%7Bauditenabled%20-eq%20%24true%7D%7Cselect%20userprincipalname%2C%20auditenabled).count%20and%20came%20up%20with%20a%20count%20of%20212.%20We%20did%20delete%20a%20mailbox%20today%20so%20that%20could%20account%20for%20the%20difference%20between%20212%20and%20213.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20no%20date%20on%20the%20score%20for%20this%20field%2C%20so%20I'm%20leaning%20towards%20this%20being%20a%20timing%20issue.%20Somethings%20seem%20to%20update%20daily%20on%20the%20o365%20security%20score%2C%20but%20not%20all.%20I'm%20going%20to%20see%20what%20happens%20and%20if%20it%20comes%20back%20with%20the%20reduced%20number%20of%20users%20before%20I%20continue%20to%20chase%20my%20tail%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20anyone%20else%20has%20seen%20something%20similar%20please%20speak%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64465%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20with%20Mailbox%20audit%20for%20users%20(Security%20Score)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64465%22%20slang%3D%22en-US%22%3E%3CP%3EWithout%20being%20able%20to%20see%20the%20output%20of%20the%20cmdlets%20it's%20hard%20to%20guess.%20First%20of%20all%2C%20%22users%22%20doesnt%20necessarily%20translate%20to%20mailboxes.%20The%20Identity%20parameter%20is%20unreliable%20when%20used%20against%20large%20lists%20of%20objects%2C%20as%20you%20can%20have%20multiple%20entries.%20Try%20something%20like%20the%20UPN%20or%20PrimarySMTPAddress%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20you%20might%20have%20some%20mailboxes%20with%20errors%2C%20you%20should%20get%20Warning%20messages%20when%20you%20try%20to%20run%20cmdlets%20against%20those.%20Some%20mailbox%20types%20do%20not%20show%20in%20the%20Get-Mailbox%20output%20unless%20you%20specifically%20include%20the%20recipient%20type%2C%20however%20this%20shouldnt%20be%20an%20issue%20if%20you%20are%20comparing%20via%20the%20same%20syntax.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Anyone else having issues with inaccuracies on this? It shows that we have 213 users and 209 have it enabled. 2 were new users, but I cannot find the rest of them.

 

I've been using:

Get-Mailbox -Filter {AuditEnabled -eq $false} | select UserPrincipalName,auditenabled

and

Get-Mailbox | select UserPrincipalName,auditenabled,AuditDelegate

and

Get-mailbox -Filter {(AuditEnabled -eq $false)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

 

They all come up with all users having auditenabled. Anyone have an idea as to how to find the remaining 2?

 

Also it would be nice if you got partial credit on this! less than 1% missing.. 

 

3 Replies

Without being able to see the output of the cmdlets it's hard to guess. First of all, "users" doesnt necessarily translate to mailboxes. The Identity parameter is unreliable when used against large lists of objects, as you can have multiple entries. Try something like the UPN or PrimarySMTPAddress instead.

 

Next, you might have some mailboxes with errors, you should get Warning messages when you try to run cmdlets against those. Some mailbox types do not show in the Get-Mailbox output unless you specifically include the recipient type, however this shouldnt be an issue if you are comparing via the same syntax.

I tried checking the different mailbox types and thought that was hopeful. I then realized I'd already taken care of all the shared mailboxes and they show as true on the auditenabled.

 

I ran this:

(get-mailbox -filter {auditenabled -eq $true}|select userprincipalname, auditenabled).count and came up with a count of 212. We did delete a mailbox today so that could account for the difference between 212 and 213.

 

There is no date on the score for this field, so I'm leaning towards this being a timing issue. Somethings seem to update daily on the o365 security score, but not all. I'm going to see what happens and if it comes back with the reduced number of users before I continue to chase my tail on this.

 

if anyone else has seen something similar please speak up.

Yeah, dont expect secure score to immediately reflect on the changes you make.