Action Center showing a lot of Failed status

Copper Contributor

So I have assumed responsibility of the MS 365 Defender security role. I was going through the Action Center history and found some alarming things. Almost all of the automated actions have failed for an unknown length of time. I have gone as far back as the past 30 days. Every Automated email action has a Failed status when not specifically listing an status or entity in the 'Decision' or 'Decided by' columns.

HathMH_0-1659622052007.png

 

 

Of those that failed, i can on them individually and choose to 'Open in Explorer' and there I can then select all and go for the soft delete action. But that is getting tedious to have to do that for every action, we are talking literally thousands.

 

What is the cause of this and how do I fix it?

15 Replies
It's difficult to tell what kind of issue this is. It might be helpful to have a support ticket open to research this further. In the meantime, you could select one of those failed actions to view the side-panel page. On this page there should be a section titled latest delivery action. This section would say whether e-mails remain in mailboxes by providing a count and would be a good indicator of the current status of the emails.

Unfortunately, there is no Latest delivery column. I think that is is Email Explorer.
I do have a support ticket in, but there has been no response for over a week now. Not impressed with the Microsoft customer support.

I sent you a DM

Hi @HathMH and @HeikeRitter 

 

Is there a solution on this?

We are experience the same issues.

 

Br

Mela

I've heard nothing from MS for over a week now. No resolution yet, but I was told there are many others that have reported this issue.
I have escalated it internally again. It's already with an escalation engineer and hopefully you hear back soon. keep me updated
Hi! I have the same issue and will file a ticket with the support right away regarding this. Please let me know if there is any resolution for this.

Anyone get a resolution on this? We have a lot of timed out decision and automated email action failures. 

Hi @Bowserkb 

 

Unfortunately no, I have a case Open since two Weeks and it was escalate also to 2 Level, but every Mail they send me, are still asking what happen and if I can reproduce it :facepalm:..... just unbelievable Bad this Support. 

 

This could be because whoever was initially responsible for it didn't approve them for the automation action to continue. Although the remediation is automated, the administrator sometimes need to approve or deny the remediation action in the pending column of the Action Center. It times out when that is not done.
Yes, every morning (and several times thru the day) I open up Action Center and go through the list to approve all action items. Up until a couple months ago, there used to be 100+ items to approve. Lately though, there's maybe a dozen or so if any at all. Most morning there is nothing. The support ticket has been in for a bit of time, it's been moved up to an engineer team i think. They say it may just be a UI issue. When the action items show a fail status, the automated action is still done as the emails are remediated. However, this issue along with automated actions no longer appearing in my pending list wrecks havoc on my metrics. All those that previously showed but no more are not being listed correctly in my remediated monthly metrics. Still waiting on MS to resolve this.

@HathMH 

I am totally agree, I was receiving also every day someone actions to approve, and now, since day.... no one...  As Security Administrator this will be a great day when I do not receive any "Attack"... but I Don't think this is the case :sad:

Yep, I thought it was weird as well, then I looked in the history and saw all the failed status.

@HathMH 

 

after a loong way with a MS Ticket, they confirm me that a Fix has been deployed and will reach World Wide deployment in around 2 weeks. 

@HathMH 

 

The Fix is in place.... we are getting now the status "Skipped".

 

When open the investigation page you can see in the Logs, only the "Soft delete email" Step with the Status "Skipped - The action wasn't needed, and the investigation proceeded." but the Investigation Status is "Remediated"

 

and When checking the Email Trace you can see the Email was delivered in the JunkFolder

 

But if you go to the Email Entitie, you can see tow steps, 

- Junk Email folder - Delivered to junk

-Success: Message moved to quarantine

and checking the quarantine... is right the Emails was moved there.

 

... so, in my Opinion should be a "Success" instead of "Skipped"... but is better as "Failed" :xd: