Exchange multi mailbox Search

This blog post is all about putting more restrictions and governance on the process of multi mailbox search. I believe that it should take the action of at least two people to do such multi mailbox search, instead of giving that power to one person.

Sometimes, the security or legal team have a requirement to search mailboxes for keywords, in order to investigate a security or legal incident. Giving that person the ability to view and access other mailboxes without proper auditing is something most organization fear to do, even if that person is trusted person.

Microsoft Exchange platform starting from Exchange 2010 I guess, comes with a new feature called Multi Mailbox Search., but I find my self not comfortable giving some people access to search all mailboxes. I started to look for a way so that when such search is required, two different entities need to work together to make it happen.

What I have in mind is the following. We have an IT security team, and another information security team. These are two different teams that report to different people. We put a rule that any search request should originate from the information security team. This team is responsible of requesting the search, and to view the result.

In order to introduce another layer of security, whenever the information security team decide to do mailbox search, they need to contact the IT security team. IT security team is the only team who has access to submit a search request in Exchange. Nevertheless, they do not have access to the search result. The information security team has access to the search result.

So it needs the collaboration of two teams to perform end to end mailbox search. IT security team will perform the search query, but cannot see the result of the search, while the information security team cannot perform search, but they can see the result of the search performed by the IT security team.

How multi mailbox search works

I will not go through the details of how this feature works, as you can read on TechNet about it. Instead I will highlight couple of points:

Exchange 2010 introduces the Discovery Management Role and the Discovery Search Mailbox. By default no users are members of this role, and the user associated with the Discovery Search Mailbox is disabled and it cannot receive e-mail.

  • You start by granting a domain user “John” the role of Discovery Management in Exchange by running:
Add-RoleGroupMember -Identity “Discovery Management” -Member John
  • John can go to his Outlook Web App > Exchange Control Panel, and he will have access to the Reporting section under My Organization.
  • From there John can specify a search criteria as shown below.

Exchange multi mailbox search

  • The results of the search will be sent to the built in system mailbox called Discovery Search Mailbox.

John is granted automatically access to that Discovery Search Mailbox, where he can view the results. This is because the Discovery Search Mailbox is configured by default with Contoso\Discovery Management group having full mailbox Access. John is added automatically to that group once he is granted the Discovery Management Exchange role previously.

Note: The problem with this approach is that John can perform any search or mailbox discovery on corporate mailboxes without proper control or auditing, and this is extremely something to worry about.

Segregation of duties

The solution is simply a segregation of duties, where one person performs the search and other person gets access to view the result. So, it takes two people to perform a search and view the result. Some sort of multi-factor authentication.

In this scenario, John can only go to his OWA experience and perform the multi mailbox search with any criteria he wants, and the results will be sent to the Discovery Search Mailbox. John should not have access to that system mailbox, and thus cannot view the results of his own search.

Now, Sue is another security administrator and she is granted full mailbox access to the Discovery Search Mailbox. She can see the result of the multi mailbox search performed by John. This means that one person can do the search and cannot view the results, where the other person can view the results but cannot do the search. In other words, we require two different people to act in order to do such multi-mailbox search on corporate mailboxes.

Let us go through the steps that makes this happen:

  • For John, we will add him to the “Discovery Management” Exchange Role
Add-RoleGroupMember -Identity “Discovery Management” -Member John
  • For Sue, go to Exchange Management Console, search for Discovery Search Mailbox, right click and choose Manage Full Access Permission and do the following:
    • Remove Contoso\Discovery Management.
    • Add Contoso\Sue

multi mailbox search 2

  • Ask John to do the multi-mailbox search from his OWA experience.
  • Once done, the results are sent to the Discovery Search Mailbox, and John cannot view it although he is member of the Discovery Management role, but he cannot access it as we removed the full mailbox access from that mailbox for the AD security group Discovery Management.
  • Now John will call Sue and asks her to access that discovery mailbox by typing:

Note: you can get the discovery mailbox SMTP. You can figure out this SMTP by searching for the “Discovery Search Mailbox” in the Exchange Management Console and view the SMTP address from there.

multi mailbox search 2