Whether organizations run Exchange on premises or in Office 365, administrators have a responsibility to act quickly...
when problems arise.
The sooner an admin knows about unusual activity, the faster they can react to avoid a service outage or repel an attack. Some examples include a rogue admin granting temporary access without permission, a user attempting to download a large amount of intellectual property or a server issue delaying mail flow.
For on-premises Exchange, alerting involves installing third-party monitoring software on your servers that analyze logs and issue warnings when it detects potential problems. On its cloud collaboration platform, Microsoft offers more options with Office 365 alerts via built-in functionality and Enterprise Mobility + Security, or administrators can use a third-party tool.
Options for Office 365 alerts
If you have Office 365 Enterprise E5 licensing -- or have added the licensing for Advanced Compliance features -- then you have access to Advanced Data Governance. Another option is to use a third-party tool that hooks into Office 365 and provides similar, and in some cases better, functionality.
Advanced Data Governance offers a variety of features, such as automatic labeling of data, advanced retention and advanced eDiscovery, and automatic alerts from within Office 365's Security and Compliance Center.
If you have Enterprise Mobility + Security Enterprise E5 licensing, then you have access to the advanced features within Microsoft Cloud App Security, which can also be purchased separately. This offering spots the use of shadow IT tools and also provides advanced proactive alerts and automatic actions for Office 365, to name just a few features.
Organizations with basic Office 365 licensing can use third-party products such as Radar Reporting, which utilizes API access to Office 365 to get up-to-date data from the service and provide alerts and insights.
Constructing Office 365 alerts
Admins can configure Office 365 alerts in the Security and Compliance Center from the Alerts panel. Figure 1 shows alert policies in the Dashboard section. Office 365 Enterprise E5 subscribers get default alerts that cover the basics, including privilege elevation, malware campaigns and unusual file activity.
To create Office 365 alerts, choose Alert Policies, and then select New Alert Policy.
A New Alert Policy dialog will appear. Select the Severity of the alert and the Category. Available categories include data loss prevention, threat management, data governance, permissions and mail flow.
The second page of the dialog shows the Activity picker. The list of activities that trigger an alert is extensive, covering common user activities, file and folder activities, data sharing, client synchronization, and administration activities.
After selecting the activity, configure the trigger threshold. Figure 2 shows the condition for a trigger if users download a significant number of files.
Office 365 bases its alert policies for data downloads in the last hour or longer. For this article, we've configured a policy that will issue an alert if a user downloads more than 1,000 files in 60 minutes. Beyond setting policies manually, Office 365 can send warnings if it detects activity it deems unusual.
After setting the Office 365 alerts, emails will arrive to nominated accounts when policies trigger. Figure 3 shows an example of an alert sent to an administrator when permissions changed for an Exchange Online mailbox.
Clicking Investigate offers more detailed information about the alert in the Security and Compliance Center. Office 365 alerts can be marked as Resolved or you can choose View Activity List to see the executed commands and notify the affected users.