9 Email Security Reports That Every Microsoft 365 Admin Should Monitor! 

When it comes to strengthening your organization’s defenses, it’s absolutely imperative to implement a robust set of Microsoft 365 email security best practices to protect your organization from threats. One of the priorities that often springs to mind for any admins is to have a top-notch tight grip secured Exchange Online environment. And why is that? Well, it all boils down to the fact that a user’s mailbox is where confidential information is shared! 🔐 So, securing their Exchange Online environment is an important task for any administrator.

But here’s the twist – is simply putting a security lock on Exchange Online sufficient? Unfortunately, the answer is NO! ❌For any diligent Microsoft 365 admin, the next logical step is to monitor the Exchange Online activities around their organization. 

As we all know, Microsoft 365 security is a complex & constantly evolving challenge, and it requires ongoing vigilance. Without continuous monitoring, things can quickly spiral out of control! 😯So, to assist you in this endeavor and simplify the process of monitoring Exchange Online, I’ve compiled a comprehensive checklist of “9 essential email security reports to monitor in Microsoft 365.” So, let’s dive right in and explore the invaluable insights this Microsoft 365 Exchange Online cheat sheet has to offer!  

List of Microsoft 365 Email Security Reports: 

Email security is like a game, but it’s a serious game you should never lose! 🏐Thus, if you want to win, you must keep track of all activities happening in and around your organization. To help you do that, Exchange Online offers a handful of reports, but knowing where to begin can be daunting! 😫Instead, you can use the 9 essential Exchange Online reports below that cover all the bases and touch on every risky use case.  These reports provide comprehensive coverage, address various risk scenarios, and offer a more streamlined way to keep a watchful eye on your email security. ✅ 

1. Monitor mailbox audit settings in Microsoft 365. 
2. Find inbox rules forwarding externally in Exchange Online. 
3. Audit mailbox permission changes in Microsoft 365. 
4. Run a non-owner mailbox access report. 
5. Check Mailbox size in Microsoft 365. 
6. Spot malware and spam emails in Exchange Online. 
7. Monitor mail flow status in your organization. 
8. Use email authentication reports to validate email authenticity. 
9. Transport rule and DLP evaluation reports. 

Looking for a shortcut to get all those important email security reports without reading a bunch of text? Well, then check out our fantastic cheat sheet! It’s got all the essentials you need, so just flip it open and get started. 🚀 

Download Cheat sheet: Microsoft 365 email security reports.pdf

1. Monitor Mailbox Audit Settings in Microsoft 365: 

As tracking user activities is essential, you can utilize audit logs available in the Security and Compliance portals! 😌 In addition, Microsoft 365 Mailbox auditing is a powerful tool, allowing you to track user actions within their own mailbox and even on other mailboxes.  

However, only certain actions are audited by default! 😑 To broaden the audit log coverage, you must enable mailbox audit log using PowerShell. And, the next step is to monitor admin activities, delegate activities, and owner activities in mailboxes. In this report, you can export all mailboxes that are audit-enabled/disabled, as well as mailboxes that are admin audit-enabled, owner audit-enabled, and delegate audit-enabled. 

More info: https://blog.admindroid.com/guide-to-efficient-exchange-online-mailbox-management/ 

2. Find the Inbox Rules That Forward Externally in Microsoft 365: 

Microsoft 365 inbox rules can be used to forward, redirect, copy, move, flag, and more, but they’re most commonly used to configure automatic email forwarding. And here, the risk case happens!   

What if a user configures auto email forwarding to external users? That’s too much risk and too much data exposure, right? 

Even though the Exchange Admin Center (EAC) provides an Auto-forwarded message report to give insights into forwarded emails, it falls short when it comes to tracking emails forwarded to external domains! So, we’ve got PowerShell as a great way! You can effectively identify all mailbox forwarding rules that send emails to external users or personal email addresses.

Script Download: GetInboxRulesWithExternalForwarding.ps1 

3. Audit Mailbox Permission Changes in Microsoft 365: 

Delegating permissions to Microsoft 365 mailboxes is common and can be a great way to improve efficiency. However, it’s crucial to grant the appropriate permissions, like Full Access, Send As, and Send on Behalf, while ensuring that they go to the right users. 💯 

Because mailboxes are often home to sensitive data, and if mailbox permissions are misused, things can go wildly against the organization! 😫This is why it’s important to monitor mailbox permission changes frequently, especially for admin mailboxes, which contain confidential information. Therefore, be sure to audit mailbox permission changes frequently and ensure that only the right people have access to the right mailboxes to prevent data leaks. 

Script Download: AuditMailboxPermissionChanges.ps1 

4. Run a Non-owner Mailbox Access Report: 

Mailbox accessing is a common task, but what shouldn’t be avoided is to audit mailbox access permissions since unauthorized mailbox privileges can lead to sensitive data leaks! ⚠️ 

Therefore, the admin is responsible for monitoring mailbox owner, admin & guest access, and, most importantly, non-owner access. Monitoring non-owner access is vital, as certain events may indicate data theft. Also, it is important to always be aware of who accessed which mailbox, from where, and when for legal matters.  

• However, Microsoft also no longer provides the option to run a non-owner mailbox access report in Exchange Online, so it’s obviously PowerShell’s turn to offer you the necessary details! 😌 The below cmdlet could be used to view the non-owner mailbox access report of a Microsoft 365 user, but in the long run, a PowerShell script is always looked up! 💯 

Search-MailboxAuditLog –Identity <username> -LogonTypes Delegate -ShowDetails –StartDate <mentionTime>  -EndDate <mentionTime> | Select-Object Operation, LogonType, LastAccessed, LogonUserDisplayName 

So, make sure to schedule the non-owner mailbox access report and monitor frequently! This report includes admin and delegate actions, a list of accessed mailboxes, access timestamps, non-owner actions, and whether they succeeded or failed. Keep this PowerShell script handy and check the non-owner mailbox access report regularly! 

Script Download: NonOwnerMBAccessReport.ps1

5. Check Mailbox Size Report in Microsoft 365: 

Are your users getting storage exceeded errors like the below, with no heads-up whatsoever? 

• Mailbox size limit exceeded. 
• You’ve exceeded the storage limit for your mailbox. Delete some items from your mailbox. 
• Unable to send/receive messages due to mailbox quota exceeded. 

Then, it’s time for admins to take responsibility and check the mailbox size report of all users! Finding it is a breeze; just use cmdlets like Get-Mailbox and Get-MailboxStatistics in Microsoft 365, and voila! you’ve got yourself a nifty mailbox-size report at your fingertips. Here’s a little sneak peek at how it’s done: 

Get-Mailbox -ResultSize Unlimited | foreach { Get-MailboxStatistics -identity $_.userprincipalName | select Displayname,TotalItemSize} 

Easy, right? But wait, there’s more! If you want to dive even deeper and get some seriously detailed mailbox usage reports, we’ve got a slick PowerShell script that’ll do the trick in a matter of seconds. Run it around & export mailbox-size reports that will be a treasure box! 

Script Download: MailboxSizeReport.ps1

6. Monitor Spam and Malware Reports and Improve Mail Protection: 

It’s a never-ending battle to keep the organization’s data safe from spam and malware attacks. But guess what? Microsoft got our back with a cloud-based filtering service called Exchange Online Protection (EOP).  

Microsoft doesn’t stop at just EOP. They’ve also given a bunch of nifty mail flow status reports in Exchange Online, which comes with comprehensive details on phishing attempts, spam & malware email statistics report, and more!  This can be used to identify trends, track the effectiveness of security measures, and investigate suspicious activity. 

• So, in a nutshell, with EOP and these detailed mail flow status reports, we’re in a much better position to fend off the email attackers and keep our data safe and sound. 🛡️📧 

More info: https://blog.admindroid.com/mailflow-status-reports-to-secure-microsoft-365-emailing-process/ 

7. Track the Mail Flow Reports to Know Your User’s Mailbox Activity: 

Tracking the email flow within and outside the organization can help admins prevent data leakage immediately.  

• Detect if any suspicious or unauthorized access has been granted to any mailbox🔍 
• Let organizations plan and allocate resources effectively based on their mailbox activity 
• And more on the list! 

Now, there are a couple of ways to go about this. You can dive into the inbound and outbound messages report in EAC, which is pretty handy. But if you ask me, PowerShell is where the real magic happens, as it lets you dig deeper and tailor the results to fit your exact needs. 

Script Download: MailTrafficReport.ps1 

The above PowerShell script comes packed with complete Microsoft 365 email reports – received emails, sent emails, email traffic statistics for all users, and a complete list of monthly email traffic reports.   

And the icing on the cake? You can schedule these reports to run whenever you want! ⌛So, go ahead, schedule it, and keep a watchful eye on those email activities. 

8. Use DMARC Reports in Microsoft 365 to Validate Email Authentication: 

Impersonation attacks are on the rise, and they damage an organization’s reputation. However, admins could easily escape from such threats with a simple trick: configuring email authentications like SPF, DKIM, and DMARC. It’s like putting a security checkpoint at the email entrance! 

And don’t stop there! It’s also important to monitor DMARC reports to make sure everything is working as it should! DMARC reports show you which messages from your domain pass or fail in the email authentication and who is sending mail on your domain. This information can help you identify potential spammers and take action to retain your domain reputation. It’s email safety 101! 🕵️📧🔒 

More info: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-reports 

9. Transport Rule and DLP Rule Evaluation Report: 

Remember the Test-Message cmdlet that took a temporary break for some much-needed enhancements? Well, it’s back, and it’s better than ever, now available for everyone to use.

This is a powerful cmdlet for troubleshooting issues related to Exchange Transport Rules (ETR) and Data Loss Prevention (DLP) policies. This can help you understand why a particular rule may not be functioning as expected or identify potential conflicts between rules. 

This way, you get the inside scoop on what those rules are up to and what actions they’re taking. 🔍

Test-Message -Sender <username> -Recipients <username> -SendReportTo <username> -TransportRules –UnifiedDlpRules 

More info: https://m365scripts.com/2023/03/17/simplify-transport-rule-and-dlp-policy-evaluation-with-test-message-cmdlet/ 

Advanced Threat Protection in Exchange Online: 

Heard of a superhero for your email inbox? 🦸Well, Microsoft brought us just that with their dedicated security solution that’s tailor-made for business enterprises – Microsoft Defender. It’s like giving your admins superhuman powers to spot email threats in the blink of an eye, and here’s what it’s all about: 

• Advanced Threat Protection (ATP) in Exchange Online is a set of security features and services offered by Microsoft as part of its Microsoft 365 suite. It is designed to enhance email security by detecting and protecting against a range of cyber threats, including phishing, malware, and advanced threats, ensuring the safety of your email communication and data. 

Several components are packed inside Exchange Online’s advanced threat protection. Some key components are safe attachments, safe links, anti-phishing policies, threat intelligence, email explorer, automated investigation and response (AIR), and a few others.  

Definitely, these Microsoft Defender reports will be the admin’s trusty sidekick to spot any security issues, jump into action when needed, and track trends in cyber threats!😌 

Wrapping Up: 

While we’ve delved into these crucial email security reports, don’t think for a second that we’ve covered it all! ❌ There are more reports waiting to be explored – from zero-hour auto-purge reports to DLP rule-matched reports and plenty more. 

Now, here’s the key takeaway: Email security isn’t a one-size-fits-all deal. Every organization has its unique security chinks in the armor, which is why continuous monitoring should be done! So, while these 9 email security reports are a fantastic starting point, don’t hit the brakes just yet. 

Monitor continuously and stay safe out there! 🛡️📧💪