I have reason to suspect that a user may be accessing their company email using a copy of Microsoft Outlook (or perhaps another email client) from a personal device for the purpose of data exfiltration. I've ruled out them accessing their account using ActiveSync (using Get-ActiveSyncDeviceStatistics -Mailbox [username] | ft DeviceType, DeviceUserAgent, LastSuccessSync in powershell) but I cannot seem to find a way to rule out the Outlook desktop app.
IMAP, POP3, and OWA are disabled for this user per corporate policy so I can rule those out as well.
Is there a way to tell which MAPI clients are or have authenticated with Exchange for a particular user? (This is hosted-exchange on an Office 365 tenant, and I have full admin permissions.)
Best Answer
One way to do this would be to navigate to the Security and Compliance center in your Office 365 tenant, navigate to Search, then to Audit log search, then do a search for "User signed into mailbox" (under Activities>Exchange Mailbox activities) and focus the search on your user. Look for the ip address your user has signed in from. If you've disabled all but Outlook desktop (MAPI) then any logins you see can only be from the Outlook client. If you see ip addresses other than your company ip address than that's an indication that the user is using Outlook to access their mailbox from locations other than the company network.
Another way to do it would be to navigate to the Azure AD admin center, navigate to Users, then to Sign-ins, and filter the sign-ins log for your user and for the client app. You can filter on several modern auth and legacy auth clients to narrow it down to what you're looking for. Once you find the activity, again look at the ip addresses associated with the activity and deduce from there.