Exchange Online Promises Forensic Coverage of Mailbox Accesses
In January, we reported Microsoft’s announcement that a new mailbox audit record called MailItemsAccessed in the set of actions that can be captured for mailbox activity. At the time, they said “The new action will capture details of when a message in a mailbox is opened by the mailbox owner, delegate (someone with read access to the mailbox), or using administrative access.” According to Microsoft, the data gathered gives “comprehensive forensic coverage of mailbox accesses.”
Sometimes things don’t go quite to plan in the cloud, and Office 365 Admin Center notification MC176515 published on 26 March 2019 contained the blunt message that “We have rolled back the feature, at this time, and so the MailItemsAccessed action will no longer be available.” The additional information link in the notification leads to a discussion about how to manage mailbox auditing for Exchange Online that doesn’t mention MailItemsAccessed at all and the title of the notification could be clearer, meaning that administrators could easily miss it.
All-in-all, given that the new audit record opened the possibility of comprehensive forensic coverage of mailbox accesses, Microsoft’s terse statement deserved some interrogation.
MC176515 Announces the halting of the rollout for the MailItemsAccessed Audit Record
Microsoft’s Explanation
I reached out to Greg Taylor, Marketing Director for Exchange, who told me that: “There were technical challenges that during the process of rolling out of MailItemsAccessed to the different regions. Keeping in mind the necessity of complete accuracy and availability of data, we decided to roll the changes back, make the fixes and re-initiate the rollout. We will begin the rollout again soon, and will be sharing more details with respect to the rollout plan and availability.”
Reading between the lines, we can say that:
Bugs were discovered. Speculating what might have happened, perhaps not all accesses to messages were captured in audit records , or the audit records were not correctly ingested from Exchange Online into the Office 365 audit log (something that has happened before).
Microsoft detected the problem and because it involves data (loss?), they decided to pull the code that generates the new audit record.
They’re working on the fixes and will restart the rollout when the new code is available. No timeline is available for when this might be.
Audit Records are Important
I think everyone will agree that audit records are important. Office 365 must generate audit records when expected, the audit records must contain the correct data, be immutable, and discoverable. The problem found by Microsoft with the MailItemsAccessed audit record might belong in either or both of the first two buckets, so it’s good that they have taken the action to find and fix the problem.
Now, if only someone could teach the people who write the Office 365 notifications how to use clear, concise, and informative language, we’d all be in a happier place.
We cover mailbox auditing and the Office 365 audit log in Chapter 21 of the Office 365 for IT Pros eBook. The advent of the MailItemsAccessed audit record is covered there. We’ll add a caveat now and remove it after Microsoft restarts its deployment. It’s what we do in the ePublishing world!
4 Replies to “Microsoft Halts Deployment of MailItemsAccessed Audit Records”
Did you want something like this instead?
“In MC171679 we introduced a better way of capturing audit records for mailbox actions that more fully captured auditable events in Exchange Online. However, we can’t make it work. We stuffed it up. It’s too complicated. Office 365 has gotten out of control. The beast is taking over!!!
While we wrestle with the beast, we’ve removed the new way of doing auditing. We live to fight another day, and while that day is not this day, it is coming.”
And perhaps that is what Mr Taylor wrote, but after it was processed through the PowerShell cmdlet NormalizeMicrosoftAnnouncementForPublicRelease, we got the above.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Did you want something like this instead?
“In MC171679 we introduced a better way of capturing audit records for mailbox actions that more fully captured auditable events in Exchange Online. However, we can’t make it work. We stuffed it up. It’s too complicated. Office 365 has gotten out of control. The beast is taking over!!!
While we wrestle with the beast, we’ve removed the new way of doing auditing. We live to fight another day, and while that day is not this day, it is coming.”
I’m sure Mr. Taylor will be happy with your rewrite of his English!
And perhaps that is what Mr Taylor wrote, but after it was processed through the PowerShell cmdlet NormalizeMicrosoftAnnouncementForPublicRelease, we got the above.