Forum Discussion
Exchange Online - In-Place Holds Audit logs
Hello, I am looking for the log which would contain the event when an In-Place hold GUID is stamped onto a mailbox. Mailbox audit logs and Unified audit logs have not been any help. It seems t...
I'm not sure whether this one is logged, as it's likely considered part of the internal sync processes. You can run an admin audit search in Exchange Online, if there is any event captured you'll likely find it under the "external admin" section.
Hi Vasil,
Thanks for your reply. That event is not included in the admin audit log either. I have been working with MSFT support and it was determined that the actual stamping of the GUID to the InPlaceHolds attribute by Exchange is not captured. Pretty odd as you would think it's a simple Set-Mailbox command that is initiated by the Compliance Center. According to the tech I was working with - That granular level of auditing is not available at this time. You can create a DCR through your ACE or CSAM to request that capability be added. Assuming there is an internal sync process between Compliance Center and Exchange I was also told that it can take up to an hour for a in place hold to be applied to a mailbox depending on your AD topology and replication latency, so there could be a even larger gap in time from when the hold was created to when the hold shows to be applied to the mailbox. Which makes me wonder how you could actually know when the hold was placed on the mailbox and how could one defend this hold in court if there is a gap of a possible hour between these functions. I will be submitting a DCR for this within the week.
Thanks for your reply. That event is not included in the admin audit log either. I have been working with MSFT support and it was determined that the actual stamping of the GUID to the InPlaceHolds attribute by Exchange is not captured. Pretty odd as you would think it's a simple Set-Mailbox command that is initiated by the Compliance Center. According to the tech I was working with - That granular level of auditing is not available at this time. You can create a DCR through your ACE or CSAM to request that capability be added. Assuming there is an internal sync process between Compliance Center and Exchange I was also told that it can take up to an hour for a in place hold to be applied to a mailbox depending on your AD topology and replication latency, so there could be a even larger gap in time from when the hold was created to when the hold shows to be applied to the mailbox. Which makes me wonder how you could actually know when the hold was placed on the mailbox and how could one defend this hold in court if there is a gap of a possible hour between these functions. I will be submitting a DCR for this within the week.