@Vasil Michev 

 

Hi, Yes it looks like I can see audit information from when the Compliance Center creates the case and adds the "Exchangelocation" to the case hold. But, This looks like it is from the Compliance Center side. I am specifically looking for the time and event where Exchange stamps the Guid of the case to the mailbox InPlace hold attribute. It's my understanding that the Compliance Center and Exchange are two different systems and that the Compliance Center 'tells' Exchange to place the hold on the mailbox. I want the event where Exchange does what the Compliance Center tells it too. 

I'm not sure whether this one is logged, as it's likely considered part of the internal sync processes. You can run an admin audit search in Exchange Online, if there is any event captured you'll likely find it under the "external admin" section.

Hi Vasil,
Thanks for your reply. That event is not included in the admin audit log either. I have been working with MSFT support and it was determined that the actual stamping of the GUID to the InPlaceHolds attribute by Exchange is not captured. Pretty odd as you would think it's a simple Set-Mailbox command that is initiated by the Compliance Center. According to the tech I was working with - That granular level of auditing is not available at this time. You can create a DCR through your ACE or CSAM to request that capability be added. Assuming there is an internal sync process between Compliance Center and Exchange I was also told that it can take up to an hour for a in place hold to be applied to a mailbox depending on your AD topology and replication latency, so there could be a even larger gap in time from when the hold was created to when the hold shows to be applied to the mailbox. Which makes me wonder how you could actually know when the hold was placed on the mailbox and how could one defend this hold in court if there is a gap of a possible hour between these functions. I will be submitting a DCR for this within the week.