Office operations missing username

%3CLINGO-SUB%20id%3D%22lingo-sub-1401712%22%20slang%3D%22en-US%22%3EOffice%20operations%20missing%20username%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401712%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20get%20the%20odd%20alert%20through%20for%20rare%20office%20operations%20that%20doesn't%20seem%20to%20have%20any%20information%20on%20the%20user%20or%20mailbox%20the%20operation%20was%20performed%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suspect%20this%20may%20be%20because%20the%20user%20or%20mailbox%20in%20question%20has%20been%20deactivated%20but%20I%20cannot%20be%20sure.%20We%20have%20other%20logs%20showing%20the%20usernames%20properly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20sample%20of%20an%20Add-MailboxPermission%20command%20that%20demonstrates%20this%26nbsp%3B(data%20has%20been%20scrubbed)%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22Identity%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22mailbox%20the%20permissions%20will%20allow%20access%20to%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22User%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22%3CORGANISATION%20exchange%3D%22%22%20id%3D%22%22%3E%5C%5C%24001ABC-D12EF3GH4I56%22%20-%20this%20normally%20shows%20a%20username%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22AccessRights%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22FullAccess%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22InheritanceType%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22All%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3C%2FORGANISATION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20what%20this%26nbsp%3B%24001ABC-D12EF3GH4I56%20parameter%20is%20called%20and%20how%20I%20could%20map%20it%20to%20an%20actual%20user%3F%20I%20cannot%20seem%20to%20find%20a%20matching%20string%20in%20Exchange%20properties.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We get the odd alert through for rare office operations that doesn't seem to have any information on the user or mailbox the operation was performed on.

 

I suspect this may be because the user or mailbox in question has been deactivated but I cannot be sure. We have other logs showing the usernames properly.

 

Here is a sample of an Add-MailboxPermission command that demonstrates this (data has been scrubbed):

[
{
"Name": "Identity",
"Value": "mailbox the permissions will allow access to"
},
{
"Name": "User",
"Value": "<Organisation Exchange Id>\\$001ABC-D12EF3GH4I56" - this normally shows a username
},
{
"Name": "AccessRights",
"Value": "FullAccess"
},
{
"Name": "InheritanceType",
"Value": "All"
}
]

 

Does anyone know what this $001ABC-D12EF3GH4I56 parameter is called and how I could map it to an actual user? I cannot seem to find a matching string in Exchange properties.

1 Reply
Highlighted

I've managed to figure this out. A fresh set of eyes will do you good for any problem. :stareyes:

 

It's the samaccountname it seems which you can find via Exchange powershell.

 

 

Get-Mailbox -Identity username@domain.com | fl

 

 

Running this command to search by SamAccountName will output the user. This didn't work for me initially because I was using double quotes but you need to use single quotes to stop the dollar sign from being expanded into a variable https://stackoverflow.com/questions/17452401/escaping-dollar-signs-in-powershell-path-is-not-working

 

get-mailbox -resultsize unlimited | where-object {$_.SamAccountName -eq '$1ABCD0-EFGH23456'}

 

 

I'm thinking now there could be a way to leverage some of the steps in this blog article to automatically link this attribute to a username via Exchange 365. 

https://techcommunity.microsoft.com/t5/azure-sentinel/enriching-azure-sentinel-with-azure-ad-informa...

 

What you will see as well if you expand the Office Activity logs is that there will often be a similar event logged just before or just after which will have the actual username in it anyway.