Forum Discussion
Microsoft does not consider Security and Compliance Center to be credible
- Right, so you are confirming my last bit -- that longer term storage doesn't seem to have the most recent bits in your case for some reason. I would normally expect it to have it within 4 hours of the email being sent, but I don't know what the exact SLA is; there could be a service issue in your region. Regardless, I'm confirming: there is an escalation process for looking into this type of issue, and so if it still isn't resolved, it's absolutely something we can look into. I have shared this information with the support team working your issue, so let us know if this doesn't get you unstuck. I apologize for any inconvenience.
Hello Justin, does that message shows up in the normal Message Tracking under EAC?
Yes. This was a report that was ran for management using SCC. It was identified after the fact that an email was sent that did not show up on the report. It appears SCC pulls from some data warehouse that has a delay compared to EAC. My issue is with Microsoft's response that SCC is not credible and the excuse that it's a preview, so that's somehow to be expected. First, it's not preview and went GA on 2/22/18. Second, if the search will not encompass emails sent within a certain period of the report being ran, it would be so easy to detect this and report to the user with a big red flag that the report "may not contain emails sent before [last data warehouse event]."
- Scott Landry
Microsoft
The Message Trace features in SCC and EAC use exactly the same back end query mechanisms. So it is literally impossible for the data to exist in one and not the other. What can happen, however, is that the result could be only one of the two data repositories that both admin experiences use. Specifically:
- short term data storage (7-10 day)
- longer term data store (>10days to 90 days)
Depending on how you structure your query in each experience determines which source is searched - we never search both at the same time. We think we made it much clearer in the new experience, but we also made it smarter at picking the best option vs. requiring an explicit decision. If someone is used to an explicit decision, I can see why they might think the back end has changed.
Now, depending which data store doesn't have the message in question, it could be due to a data ingestion issue for that particular source, and should be troubleshot accordingly and escalated if necessary. We do investigate issues of this nature, though we'll need to figure out which data storage and how long since the message was sent. We do absolutely care about the credibility of Message Trace.
Scott, I appreciate your reply. Note, however, that the credibility statement was taken verbatim directly from a Microsoft employee. If you have access to review the tickets, the ticket # was provided. I tried to get the matter escalated and the reply was requesting to close the ticket as the issue was not "recurring" and there was nothing the engineer could do. I requested management escalation no less than three times.
As for this incident, the email in question was sent approximately four hours before the report was ran, and it was a 90 day report. The filters have been verified and the email did not appear on the report. This means the reporting is not accurate without some sort of warning. Period.
