SOLVED

No longer able to see users Inbox rules through EAC Online?

Iron Contributor

Hi,

I must have missed an announcement but just doing some routine maintenance and I see that the "View another mailbox" in EAC has changed considerably.  The most noticeable change is that you can no longer see the users Inbox rules.


The old days:

inboxrule1.jpg

And now you get this:

inboxrule2.jpg

 

Usually the first thing to do if an email account is compromised is checking here to see if there have been any rules setup to spoof emails etc.  With this functionality removed this does take a very useful tool from our tool box.  Has anyone else seen this change? more so does anyone know if there is another way to get inbox rule information for a user?

 

Cheers

Rob

 

 

27 Replies

@Talamasca trevorharrisABMG here posting from another account... Due to this issue I developed a PowerShell script for managing mailbox rules (sorry I cannot share it at this time due to company PII, but maybe soon I will post a cleaned-up version on my github). To see exactly what each rule is doing you can use cmdlet like below. Here is a small snippet from my script:

 

$mailboxname = get-exomailbox "username(at)yourcompany(dot)com"
Write-host "Loading all mailbox rules for " -nonewline
Write-host "$mailboxname" -foregroundcolor Green
Write-host "`nPlease wait..." -ForegroundColor yellow

$Rules = Get-InboxRule -Mailbox $MailboxName
$Rules | Format-List Priority,Name,Description,Enabled

 

Much appreciated 🙏

@VasilMichev THANK YOU!! This was a lifesaver for me troubleshooting an issue today.  Thank you, thank you, thank you!

At the meantime, I see that the option is available again, I could see inbox rules of other user 🙂

@Talamasca Thank you for the update! It's also back to normal here too 🙂

Is it true that if we run Get-InboxRule -Mailbox email address removed for privacy reasons -IncludeHidden, we still won't be able to see rules with the following characters in the name? / (forward slash), ; (semicolon), ' (apostrophe), [ (open bracket), ] (close bracket), or . (period)?
In Microsoft's infinite wisdom, they took away admins' ability to access users' mailbox rules from within Exchange Admin Center because they want us to use PowerShell instead. This would be fine except it seems that, according to others who experienced the same issue, running Get-InboxRule -Mailbox email address removed for privacy reasons -IncludeHidden doesn't show hidden rules with the following characters in the name, specifically / (forward slash), ; (semicolon), ' (apostrophe), [ (open bracket), ] (close bracket), or . (period).

Other previous options used to be to go to https://outlook.office.com/ecp/email address removed for privacy reasons to change them there but that no longer works either. It now returns "400, bad request".

Another one they used to suggest was https://outlook.office.com/mail/email address removed for privacy reasons/options/mail/rules but that now just returns an "access denied" error.

From what I'm finding, it seems the only way to remove the rule would be to change the password and re-enable the compromised account, revoke and reset MFA, set up MFA with a temporary device, sign in, go to Rules, and delete it from there. Keep in mind, we'd have to remember to remove the temporary MFA device when we're done.

Am I missing something?
I am so sick of Microsoft removing useful features.
Surely it would be better to send out some sort of survey to admins on functionality change, rather than them deciding what's best for us.
Powershell is far too time consuming!