Exchange Online Promises Forensic Coverage of Mailbox Accesses
In January, we reported Microsoft’s announcement that a new mailbox audit record called MailItemsAccessed in the set of actions that can be captured for mailbox activity. At the time, they said “The new action will capture details of when a message in a mailbox is opened by the mailbox owner, delegate (someone with read access to the mailbox), or using administrative access.” According to Microsoft, the data gathered gives
“comprehensive forensic coverage of mailbox accesses.”
Sometimes things don’t go quite to plan in the cloud, and Office 365 Admin Center notification MC176515 published on 26 March 2019 contained the blunt message that “We have rolled back the feature, at this time, and so the MailItemsAccessed action will no longer be available.” The additional information link in the notification leads to a discussion about how to manage mailbox auditing for Exchange Online that doesn’t mention MailItemsAccessed at all and the title of the notification could be clearer, meaning that administrators could easily miss it.
All-in-all, given that the new audit record opened the possibility of comprehensive forensic coverage of mailbox accesses, Microsoft’s terse statement deserved some interrogation.
Microsoft’s Explanation
I reached out to Greg Taylor, Marketing Director for Exchange, who told me that: “There were technical challenges that during the process of rolling out of MailItemsAccessed to the different regions. Keeping in mind the necessity of complete accuracy and availability of data, we decided to roll the changes back, make the fixes and re-initiate the rollout. We will begin the rollout again soon, and will be sharing more details with respect to the rollout plan and availability.”
Reading between the lines, we can say that:
- Bugs were discovered. Speculating what might have happened, perhaps not all accesses to messages were captured in audit records , or the audit records were not correctly ingested from Exchange Online into the Office 365 audit log (something that has happened before).
- Microsoft detected the problem and because it involves data (loss?), they decided to pull the code that generates the new audit record.
- They’re working on the fixes and will restart the rollout when the new code is available. No timeline is available for when this might be.
Audit Records are Important
I think everyone will agree that audit records are important. Office 365 must generate audit records when expected, the audit records must contain the correct data, be immutable, and discoverable. The problem found by Microsoft with the MailItemsAccessed audit record might belong in either or both of the first two buckets, so it’s good that they have taken the action to find and fix the problem.
Now, if only someone could teach the people who write the Office 365 notifications how to use clear, concise, and informative language, we’d all be in a happier place.
We cover mailbox auditing and the Office 365 audit log in Chapter 21 of the Office 365 for IT Pros eBook. The advent of the MailItemsAccessed audit record is covered there. We’ll add a caveat now and remove it after Microsoft restarts its deployment. It’s what we do in the ePublishing world!
Did you want something like this instead?
“In MC171679 we introduced a better way of capturing audit records for mailbox actions that more fully captured auditable events in Exchange Online. However, we can’t make it work. We stuffed it up. It’s too complicated. Office 365 has gotten out of control. The beast is taking over!!!
While we wrestle with the beast, we’ve removed the new way of doing auditing. We live to fight another day, and while that day is not this day, it is coming.”
I’m sure Mr. Taylor will be happy with your rewrite of his English!
And perhaps that is what Mr Taylor wrote, but after it was processed through the PowerShell cmdlet NormalizeMicrosoftAnnouncementForPublicRelease, we got the above.