Oct 30 2018 04:27 AM - edited Oct 30 2018 04:28 AM
This is in an Office 365 tenant that I didn't manage from the start, so it's unclear what has been turned on and of regarding auditing.
The case: A user's calendar items disappear after several weeks (like after 47 days). He doesn't delete them, so we are looking for something that is doing it (an app, a setting, etc.). I'm not familiar with Office 365 / Exchange doing a calendar cleanup or something by default, so it has to be something he installed?
So, to start my investigation I thought about looking in the audit logs. But I don't see any log entries for this user (and also not what I expect with other users).
The Powershell results below are the same for every user:
Get-Mailbox -Identity user@domain.com | Format-List Audit* gives me this result:
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditDelegate
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
When I do a wide search for all users, I see mostly MailboxLogins (1 info@ mailbox every few minutes). Doing the same for single users, I only see MailboxLogins but 1 or 2 per day.
Example: doing a search for Create entry's, I only see those for 1 user in the organisation. This same user also has SoftDelete entry's.
For this specific user with disappearing calendar items I only see 1 entry in the last 3 weeks: MailboxLogin. Nothing more.
I'm added to the Compliance Management admin group in Exchange.
Questions:
1. Are auditing settings correct (I guess not)?
2. What could be a cause that I'm not seeing any create, soft/hard delete actions, etc.?
3. How do I reset auditing to the best settings for normal use (Best Practice)?
4. How do I add extra auditing to troubleshoot this specific user?
Oct 30 2018 11:47 AM
If it's happening for a preset timespan, it's most likely a retention policy, have you checked for such?
Oct 30 2018 12:52 PM
Oct 30 2018 09:58 PM