Forum Discussion

SB V's avatar
SB V
Brass Contributor
Jun 28, 2023

Alert policy - Add mailbox permission - No detailed alert.

Hi Community, 

 

I've created Alert policy that whenever someone get mailbox permissions added it should be notified to the Global administrator and it works. However, the alert doesn't have the detailed report of which is the user mailbox and who was added for mailbox permissions etc. We've just got the below alert report.

 

How to get the detailed alert saying which is the user mailbox and who was added for mailbox permissions etc. Any help would be much appreciated. 

 

A high-severity alert has been triggered

Add Mailbox Permission policy

Severity: High

Time: 6/28/2023 1:45:00 PM (UTC)

Activity: AddMailboxPermission

User: email address removed for privacy reasons

Details: AddMailboxPermission. This alert is triggered whenever someone gets access to read your user's email.

See details in the Microsoft 365 Security Center. 

Alerts
  • Christos_Ventouris's avatar
    Christos_Ventouris
    Icon for Microsoft rankMicrosoft
    Jul 01, 2023
    Which product was that alert policy created in ? Was it an advanced hunting Custom Detection or was it a policy in Defender for Cloud Apps ?
    • SB V's avatar
      SB V
      Brass Contributor
      Jul 03, 2023

      Thank you for the response. 

      I've created the alert policy as detailed in this post and getting the alert as per the screenshot I attached in my initial ask,  https://learn.microsoft.com/en-us/answers/questions/242472/alert-when-someone-is-granted-full-access-to-mailb

       

      However, the challenge is the alert doesn't help to understand whose  mailbox was given full access permission and who takes full access permissions and all.

       

      Getting just the alert notification but it doesn't say the above details. Please help which alert policy helps us giving the detailed report.

       

      Thanks!

      • plainlazy87's avatar
        plainlazy87
        Copper Contributor
        Sep 28, 2023

        SB V 

        When you click on the alert to view the details you should have a hyperlink named "View Activity List".

        When you click that, under the "Item" column is the name of the user whose mailbox was changed. Sometimes it won't show the name but the ID number instead. If this happens you have to copy the ID number and paste it into the user search of AAD (Entra) to see which user's mailbox it was.

        Hope that helps. It stumped me for a while as well. 

         

Resources