Microsoft Reveals Audit Gap for Delegate Send Actions

Second Major Issue with Exchange Online Audit Data

On May 19, Microsoft published Microsoft 365 message center notification MC382148 to disclose that an eight-week hiatus in generating audit events for delegated email send activity had happened. According to Microsoft, between January 28, 2022, and March 26. 2022, “some audit log entries were not generated for the Send As and Send on Behalf of delegate scenarios.” These events are captured when people use the Exchange SendAs and SendOnBehalfOf permissions to send email for other mailboxes.

Microsoft says that the root cause is a change in logging telemetry within auditing services. A fix is now in place to “help us minimize the possibility of an event like this happening again and will expedite future investigations.” However, because Exchange Online never generated the events, the Office 365 audit log never ingested the data, and the information is not in the log. Microsoft says that the missing data is irrecoverable.

This isn’t the first time that Microsoft has had a longstanding problem with ingestion into the Office 365 audit log (or unified audit log) for Exchange Online events. In September 2018, the developers knew of a problem with truncated data for group creation events. Microsoft didn’t fix that problem until May 2019.

Checking SendAs Events

To check the current situation, I searched for SendAs audit events in my tenant and found some generated during the problem period. I also ran a script that I’ve used in the past to report on these events and found some “interesting” information in the audit events. Here’s an example of a message sent by me on May 16 using Outlook mobile:

CreationTime          : 2022-05-16T11:03:47
Id                    : b5c89d0a-bb88-4620-6df9-08da372bc089
Operation             : SendAs
OrganizationId        : b662313f-14fc-43a2-9a7a-d2e27f4f3478
RecordType            : 2
ResultStatus          : Succeeded
UserKey               : 1003BFFD805C87B0
UserType              : 0
Version               : 1
Workload              : Exchange
ClientIP              : 2a01:b340:63:7141:a5cd:a160:e805:aae7
UserId                :
AppId                 : 27922004-5251-4030-b22d-91ecd9a37ea4
ClientIPAddress       : 2a01:b340:63:7141:a5cd:a160:e805:aae7
ClientInfoString      : Client=OutlookService;Outlook-iOS/2.0;
ClientRequestId       : 5009
ExternalAccess        : False
InternalLogonType     : 0
LogonType             : 2
LogonUserSid          : S-1-5-21-458367025-2064581115-2950179075-392557
MailboxGuid           : 0370f354-2752-4437-878d-cf0e5310a8d4
MailboxOwnerSid       : S-1-5-21-458367025-2064581115-2950179075-392557
MailboxOwnerUPN       :
OrganizationName      :
OriginatingServer     : DB7PR04MB4410 (15.20.4200.000)
SessionId             : 3431534d-331e-4924-b324-cbfa9cc55e24
Item                  : @{Id=LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQA3tTkMTDKYRI6zB9VW59QNAAVriOkWAAAJ; InternetMessageId=<>; ParentFolder=;Sensitivity=2fe7f66d-096a-469e-835f-595532b63560; SizeInBytes=4428; Subject=Phone number}
SendAsUserMailboxGuid : 0370f354-2752-4437-878d-cf0e5310a8d4
SendAsUserSmtp        :

Three Properties with the Same Value

The problem with this audit record is that the User, MailboxOwnerUPN, and SendAsUserSmtp properties all have the same value. When a delegate impersonates another user to send a message, Exchange Online logs the delegate’s name in the User and MailboxOwnerUPN properties and captures the SMTP address of the impersonated user in the SendAsUserSmtp property. Having the same value in the three properties doesn’t make sense.

A closer examination of the SendAs events in the audit log revealed multiple cases where the three properties had the same value. Most of the events originated using the Outlook mobile client and, in all cases, the mailbox owner sent the message. There’s no reason why Exchange Online should consider this message to be a SendAs event because the mailbox owner sent the message. A common feature of all the messages logged erroneously as SendAs events is that they were addressed to external recipients.

Tests revealed that audit events for delegate messages sent using the Send As permission from the OWA and Outlook desktop clients capture the correct information. However, despite being present in the Exchange Online mailbox audit log, messages sent using delegate access from Outlook Mobile didn’t show up in the Office 365 audit log.

Interestingly, SendAs events also appeared for messages sent by mailbox owners from the preview version of the One Outlook client for Windows (Monarch). This client uses the same Microsoft sync technology connection as Outlook mobile does, so perhaps that’s where the issue lies. Figure 1 shows Exchange SendAs events from the audit log. The instances were owners sent messages rather than delegates are highlighted. All instances used the Outlook Mobile or Monarch clients.

Analyzing Exchange SendAs events from the Office 365 audit log
Figure 1: Analyzing Exchange SendAs events from the Office 365 audit log

In summary, two problems were found:

  • Messages sent using delegate access from Outlook Mobile are not captured in the Office 365 audit log.
  • Exchange Online captures messages sent by mailbox owners to external recipients using Outlook Mobile and Outlook Monarch in the Office 365 audit log as Send As events..

It’s an odd situation that appears to go back to at least February 2022. I guess no one noticed because we all accepted the validity of SendAs events in the audit log.

Problems Persist With Exchange SendAs Audit Data

Organizations depend on audit data to know what happens inside their tenants. Delegate email action are often examined to answer questions like “who sent that message,” and can make important contributions to compliance investigations.

Microsoft needed several attempts to fix the truncated audit record problem in 2018-2019. Now we have another instance where a longstanding problem with audit events generated by Exchange Online results in data loss and some odd results in audit data generated by Outlook mobile and Monarch clients. Testing software in the age of the cloud certainly appears to be a lost skill.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the ultimate eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.