Measures reported by EXOMailBoxTest
When auditing user mailboxes, an administrator would typically like to know:
Which mailboxes were newly created, and which ones were modified / soft-deleted recently? Which mailboxes are on hold, and what type of hold are they on - Litigation hold? or In-place hold? Are any mailboxes shared? If so, which are they? Have any mailboxes been enabled for forwarding mails to external addresses? If so, which ones?
The EXOMailBoxTest test provides administrators with quick and accurate answers to these questions, and thus enables them to manage mailboxes better.
Outputs of the test : One set of results for the Office 365 tenant being monitored.
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Total_Mailboxes |
Indicates the total count of mailboxes on Exchange Online. |
Number |
|
| FrwdMailbx |
Indicates the count of mailboxes that have been enabled for forwarding mails to external email addresses. |
Number |
If this measure reports a non-zero value, then use the detailed diagnosis of the measure to find out which mailboxes have been configured to send emails to external addresses. Its important for administrators to closely monitor the mail traffic to/from such mailboxes. This is because, external forwarders are commonly used by hackers and bad actors to exfiltrate data from an organisation. |
| Shrdmailbx |
Indicates the number of shared mailboxes. |
Number |
Shared mailboxes make it easy for a group of people in your company to monitor and send email from a common account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual user.
To know which are the shared mailboxes, use the detailed diagnosis of this measure. |
| NewlyCreateMailbx |
Indicates the number of mailboxes that were created newly. |
Number |
Use the detailed diagnosis of this measure to know which mailboxes were created newly. |
| RecntModifyMailbx |
Indicates the number of mailboxes that were modified recently. |
Number |
Use the detailed diagnosis of this measure to identify the mailboxes that were changed recently. |
| SoftDeleteMailbx |
Indicates the number of mailboxes that were soft deleted. |
Number |
A soft-deleted user mailbox is a mailbox that has been deleted using the Office 365 admin center or the Remove-Mailbox cmdlet in the Exchange Management Shell, and has still been in the Azure active directory (Azure AD) recycle bin for less than 30 days.
A soft-deleted user mailbox is a mailbox that has been deleted in the following cases:
The user mailbox's associated Azure active directory user account is soft deleted (the Azure active directory user object is out of scope or in the recycle bin container). The user mailbox's associated Azure active directory user account has been hard deleted but the Exchange Online mailbox is in a litigation hold or eDiscovery hold. The user mailbox's associated Azure active directory user account has been purged within the last 30 days; which is the retention length Exchange Online will keep the mailbox in a soft deleted state before it is permanently purged and unrecoverable.
Use the detailed diagnosis of this measure to identify the soft-deleted mailboxes.
|
| litigation_hold |
Indicates the count of mailboxes on litigation hold. |
Number |
Litigation Hold is one of the functionalities of eDiscovery feature in Exchange Online. Putting mailboxes, public folders or sites (e.g. OneDrive, SharePoint) on Litigation Hold prevents users from permanently deleting all or chosen content. Before the recent updates, litigation hold allowed to secure only whole mailboxes. Partial mailbox protection required using In-Place hold. Now, Litigation Hold allows you to use filters and conditions so that you can decide precisely which items to protect and which not.
As the name suggests, the primary function of a Litigation Hold is to protect data in case there is a lawsuit in action, and some emails might be evidence. In fact, that is what the whole eDiscovery is there for. But you can use it, as many other companies do, as a means to backup sensitive data, just in case. Although the storage for protected items is not limited, including all mailboxes is not advisable - it will save all items, including spam emails, making future searches troublesome, to say the least. What is more, if you remove a hold, all purged data is irreversibly deleted. You can export mailboxes to PST files and store them locally. This way, you will increase your data safety.
To know which mailboxes are on litigation hold, use the detailed diagnosis of this measure. |
| Inplace_hold |
Indicates the count of mailboxes on in-place hold. |
Number |
In-Place Hold essentially helps an admin determine what items to hold and the amount of time to hold them. Using the In-Place Hold feature, administrators can accomplish various tasks that focus around preserving email. Mail preservation is critical if a company is faced with litigation and needs to perform any sort of electronic discovery.
Using In-Place Hold, an Exchange 2013 administrator can:
Place complete user mailboxes on hold. Preserve mailbox items that were previously deleted. Search for specific items via criteria such as keywords, send date, recipients and more. Preserve items for an indefinite amount of time. Place an actual user on hold.
Use the detailed diagnosis of this measure to know which mailboxes have been put on in-place hold.
|
| AllMailbox_hold |
Indicates whether/not all mailboxes are on hold presently. |
|
The values that this measure can report and their corresponding numeric values are as follows:
| Measure Value |
Numerical Value |
| Yes |
1 |
| No |
0 |
Note:
Typically, this measure reports the Measure Values listed in the table above to indicate whether/not all mailboxes are on hold. In the graph of this measure however, the same is represented using the numeric equivalents only.
|
|