Mailbox has AuditBypassEnabled disabled
exchange_mailbox_audit_bypass_disabled
Microsoft 365 Exchange Online mailboxes are evaluated for audit logging bypass by reviewing the AuditBypassEnabled setting and identifying mailboxes where auditing can be circumvented.
Risk
Bypassed mailbox auditing removes visibility into access and actions, weakening detective controls. Covert data exfiltration, inbox-rule abuse, and persistence become harder to spot, harming confidentiality and integrity and impeding forensics.
prowler m365 --checks exchange_mailbox_audit_bypass_disabled
Recommendation
Disable audit bypass by keeping AuditBypassEnabled set to false for all accounts. Apply least privilege to service identities, use dedicated accounts for automation, and monitor for bypass associations with alerts. Enforce separation of duties and preserve tamper-resistant audit logs.
Remediation
Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $.Identity -AuditBypassEnabled $false }
- Open PowerShell and connect to Exchange Online: Connect-ExchangeOnline
- Run:
Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false }
Source Code
Resource Type
NotDefined