Exchange contacts being mass-deleted

Copper Contributor

We have one user who has had a large portion of his contacts move to his recycle bin.  The first two times it happened in the middle of the night and a thousand or so contacts were deleted within a minute.  This weekend, he had over 2000 (of his 3,400) contacts deleted over the span of two hours.  All have been restored from his Deleted Items, so no data lost, but we do need to get to the bottom of the mystery. 


These large groups of contacts are not consecutive, so it's not like he shift-selected a bunch and manually deleted them.  The first two times this happened, over a thousand random contacts were deleted in under a minute, which doesn't seem possible to be human error.  This last time he was out of town and not using his laptop, but was using his iPhone.  When we search his deleted items, we see the deleted contacts, but no deleted messages or calendar items in the same timeframe.  Our environment is Exchange 2013 on-prem (DAG), Windows 10, Office 2016, iPhone and iPad.  We have checked Outlook add-ins, mailbox delegates, Outlook rules, and retention/archiving policies.


Has anyone ever seen anything like this?  Any ideas on how to investigate what process or machine is deleting the contacts?


2 Replies


Hi, this issue reminds me of the ~2010 era when non-Microsoft ActiveSync clients would destroy Exchange server upon each new version of the app(s). And iOS' Mail along the way since then has been notorious for Calendar and Contacts devastation.

I think your best move is to turn on mailbox auditing for that mailbox where the contacts are getting deleted, and that should give you an idea which user, which client app, etc. are causing the deletion. Then from there make decisions on next steps. There is also ActiveSync debug logging which might help, but I think you could save that for next steps and with MS Support involved. If the mailbox auditing logs show you it's that user from that iPhone (or their i*** devices), I would remove and re-setup their accounts in those ActiveSync apps from scratch, but also would insist on updating iOS to the latest in the process.

Mailbox auditing is a good place to start. Thanks for the suggestion.