Aug 04 2022 07:17 AM
So I have assumed responsibility of the MS 365 Defender security role. I was going through the Action Center history and found some alarming things. Almost all of the automated actions have failed for an unknown length of time. I have gone as far back as the past 30 days. Every Automated email action has a Failed status when not specifically listing an status or entity in the 'Decision' or 'Decided by' columns.
Of those that failed, i can on them individually and choose to 'Open in Explorer' and there I can then select all and go for the soft delete action. But that is getting tedious to have to do that for every action, we are talking literally thousands.
What is the cause of this and how do I fix it?
Aug 12 2022 10:57 AM
Aug 16 2022 06:20 AM - edited Aug 16 2022 06:21 AM
Unfortunately, there is no Latest delivery column. I think that is is Email Explorer.
I do have a support ticket in, but there has been no response for over a week now. Not impressed with the Microsoft customer support.
Aug 23 2022 10:50 PM
Aug 24 2022 12:15 PM
Aug 25 2022 10:00 AM
Aug 30 2022 08:18 AM
Sep 27 2022 06:15 AM
Anyone get a resolution on this? We have a lot of timed out decision and automated email action failures.
Sep 27 2022 06:53 AM
Hi @Bowserkb
Unfortunately no, I have a case Open since two Weeks and it was escalate also to 2 Level, but every Mail they send me, are still asking what happen and if I can reproduce it ..... just unbelievable Bad this Support.
Sep 27 2022 09:46 AM
Sep 27 2022 11:57 AM
Sep 27 2022 11:39 PM
I am totally agree, I was receiving also every day someone actions to approve, and now, since day.... no one... As Security Administrator this will be a great day when I do not receive any "Attack"... but I Don't think this is the case
Sep 28 2022 06:59 AM
Oct 19 2022 10:16 PM
after a loong way with a MS Ticket, they confirm me that a Fix has been deployed and will reach World Wide deployment in around 2 weeks.
Nov 02 2022 02:37 AM
The Fix is in place.... we are getting now the status "Skipped".
When open the investigation page you can see in the Logs, only the "Soft delete email" Step with the Status "Skipped - The action wasn't needed, and the investigation proceeded." but the Investigation Status is "Remediated"
and When checking the Email Trace you can see the Email was delivered in the JunkFolder
But if you go to the Email Entitie, you can see tow steps,
- Junk Email folder - Delivered to junk
-Success: Message moved to quarantine
and checking the quarantine... is right the Emails was moved there.
... so, in my Opinion should be a "Success" instead of "Skipped"... but is better as "Failed"