Microsoft Defender, Granted Mailbox Permission

This detection monitors the granting of mailbox read permissions, an operation that enables a user account to access another user's or shared mailbox. By alerting on this permission change in Microsoft Defender, investigators gain early visibility into potential misuse of mailbox data and can trace both the granting account and the recipient of the access.

In the Microsoft Defender portal at https://security.microsoft.com, navigate to Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

Click |+ New Alert Policy" in the top-left corner. Assign a clear name to the alert policy and select an appropriate Severity and Category. On the next page, under “Activity is”, search for and select Granted mailbox permission. Configure the remaining settings as required. If the intention is only to alert on these events generated by specific accounts, this can be achieved by adding a condition with either User: User is or User: User tags are.

When reviewing an alert generated by this rule, select an activity row in the Activity list table to display related information. A panel will open on the right-hand side of the alert page, under “Activity details”, showing the Item (target mailbox friendly name), User (email address of the account that made the change), IP address, and timestamp. To identify the account that was granted read access to the mailbox, review the Parameters JSON output and retrieve the “Value” (object ID) located next to "User": "Name". This ID can then be searched in the “All users” section of Entra ID to identify the target user account.