Non-owners deleting conversations from Outlook on iOS

Copper Contributor

I've had a ticket open with Microsoft for a couple of weeks trying to track down why conversations in a group mailbox were mysteriously dissapearing. I was finally able to do some digging in the mailbox audit logs for one of the affected groups, and found some logs showing that the messages were being deleted by some random user, (who is not an owner of the group, just a member) using the Outlook for iOS.

 

Search-MailboxAuditLog -Identity groupname@example.com -GroupMailbox -showdetails -startDate 2019-09-26T08:40-7 -EndDate 2019-09-26T08:57-7
...truncated...
Operation                              : SoftDelete
OperationResult                        : Succeeded
ClientInfoString                       : Client=OutlookService;Outlook-iOS/2.0;
InternalLogonType                      : Delegated
MailboxOwnerUPN                        : groupname@example.com
LogonUserDisplayName                   : John Smith (User who I was logged in as)
SourceItemSubjectsList                 : Subject of test email
...truncated...

 

 

I confirmed this is happening, logged in as a non-owner in Outlook 2019 or Outlook on the Web I can't delete messages from that group, but logged in as the same user in Outlook for iOS I can delete anything.

 

Can anyone else confirm whether they can do the same thing in their tenant? I'm worried about whether this is a bug in the iOS app itself or just with our tenant.

4 Replies

Well everyone in the group has equal access, thus you do not need to be an owner in order to delete stuff. At least that was the initial intention, as at some point Microsoft seems to have changed the behavior. Looking at the mailbox folder permissions now, you can see that members of the Group get Author permissions, in other words they can only delete items they've created. You can easily confirm this by looking at the permissions, or by performing tests in OWA/Outlook.

 

# Get-MailboxFolderPermission default -GroupMailbox

FolderName           User                 AccessRights
----------           ----                 ------------
Top of Informatio... Default              {None}
Top of Informatio... Anonymous            {None}
Top of Informatio... Owner@local          {ReadItems, CreateItems, EditOwnedItems, DeleteOwnedItems, DeleteAllItems, ...
Top of Informatio... Member@local         {Author}

 

I imagine the tests you did via iOS were with the Author of the message, thus you were able to delete it.

 

On a side note, are your O365 Groups associated with your onmicrosoft.com domain, or a custom one?

On second thought, maybe they've always worked like that, but I've modified them for some groups 🙂

@VasilMichev 

Sorry if I wasn't clear but no, I'm talking about members deleting other people's messages, not their own.

 

It's affecting both groups that are associated with our custom domain, and ones that are .onmicrosoft.com, it doesn't seem to matter.

 

I confirmed the permissions on the group are what you described, and as far as I can remember it has worked that way at least as far back as 2015.

 

get-mailboxfolderpermission -GroupMailbox -Identity groupname@example.onmicrosoft.com

FolderName           User                 AccessRights                           SharingPermissionFlags
----------           ----                 ------------                           ----------------------
Top of Informatio... Default              {None}
Top of Informatio... Anonymous            {None}
Top of Informatio... Owner@local          {ReadItems, CreateItems, EditOwnedI...
Top of Informatio... Member@local         {Author}

 

 

 

in other words they can only delete items they've created.

That's exactly what I'm saying, they SHOULD only be able to delete items they created, not anyone's items. In Outlook on the Web and Desktop Outlook 2019 it works as expected. But Outlook on iOS (And as far as I can tell, Android too) it completely ignores those permissions and allows any member to delete any message, including other users'.

 

I'm just curious if anyone else can try it with a test group in their own tenant to give me a hint whether it's a bug in the iOS app itself, or just a misconfiguration on our tenant. I have tickets open with both Office 365 support and the iOS Outlook in-app support but I'm not sure which side to pressure more.

 

I don't have iOS to test, but on the Android app I can only delete my own messages. Unless I'm an owner that is.