Mailbox Forwarding, Admin Audit and logging.

%3CLINGO-SUB%20id%3D%22lingo-sub-850017%22%20slang%3D%22en-US%22%3EMailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850017%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20user%20whos%20mailbox%20was%20set%20to%20forward%20messages%20to%20a%20different%20email%20address%20(new%20email%20address%20for%20the%20user%2C%20separate%20mailbox%2C%20separate%20tenant)%20and%20the%20option%20for%20%22DeliverToMailboxAndForward%22%20was%20not%20set.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20the%20mailbox%20itself%20where%20the%20user%20wanted%20the%20emails%20forwarded%20to%20did%20not%20exist%2C%20so%20the%20messages%20were%20permanently%20lost.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20this%20time%20we%20would%20like%20to%20find%20out%20who%20enabled%20forwarding%20for%20the%20user%2C%20we've%20checked%20admin%20audit%20logging%20and%20azure%20logging%2C%20and%20so%20far%20no%20luck.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20tell%20if%20the%20user%20setup%20forwarding%20themselves%3F%20i%20am%20hoping%20there%20is%20an%20easy%20way%20to%20determine%20this%2C%20otherwise%20its%20a%20call%20to%20microsoft.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20all%20happened%20well%20within%20the%20last%2030%20days.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20mailbox%20is%20on%20exchange%20online.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-850017%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-850606%22%20slang%3D%22en-US%22%3ERE%3A%20Mailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850606%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Fsaffronghaenat.ir%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsaffronghaenat.ir%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-852452%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Mailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-852452%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F407721%22%20target%3D%22_blank%22%3E%40mostafa_ghorbani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E***THIS%20SITE%20IS%20A%20SCAM***%20It%20passed%20virus%20total%20but%20it%20looks%20like%20its%20selling%20stuff%20to%20me.%20PLEASE%20DO%20NOT%20WASTE%20MY%20TIME%20WITH%20CRAPPY%20Sites%20list%20this!.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-855359%22%20slang%3D%22en-US%22%3ERe%3A%20Mailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-855359%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20suggest%20you%20check%20the%20audit%20logs%20in%20the%20EAC%20as%20well%2C%20as%20the%20logs%20in%20the%20SCC%20often%20fail%20to%20display%20all%20events.%20If%20you%20are%20not%20finding%20any%20entries%20in%20the%20admin%20log%2C%20then%20it's%20the%20user%20who%20configured%20the%20forwarding.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-860209%22%20slang%3D%22en-US%22%3ERe%3A%20Mailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response%20as%20always.%20I%20checked%20the%20admin%20audit%20logs%20in%20exchange%20online%20both%20using%20the%20command%20line%20and%20via%20the%20reports%20and%20am%20not%20seeing%20anything.%20My%20ticket%20with%20Microsoft%20didn't%20go%20far%20in%20terms%20of%20what%20happened.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20i%20did%20some%20additional%20testing%20and%20was%20able%20to%20find%20that%20a%20non%20admin%20user%20did%20have%20that%20specific%20change%20logged%20in%20the%20admin%20audit%20log%2C%20so%20i%20am%20not%20sure.%20When%20i%20test%20in%20my%20work%20tenant%20and%20my%20test%20tenant%20i%20am%20seeing%20those%20changes%20logged%20except%20for%20these%20users.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20thing%20i%20can%20think%20of%20is%20that%20change%20occurred%20more%20than%2090%20days%20ago%2C%20but%20honestly%20i%20have%20seen%20plenty%20of%20other%20things%20not%20caught%20by%20admin%20audit%20logging.%20So%20i%20am%20going%20to%20chalk%20this%20up%20to%20another%20office%20365%20oddity.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20of%20another%20way%20of%20checking%20the%20EAC%20Logs%3F%20I%20know%20of%20command%20line%20and%20the%20audit%20logs%20from%20the%20EAC%20%26gt%3B%26gt%3B%20Compliance%20%26gt%3B%26gt%3B%20Auditing.%20I%20am%20going%20to%20try%20running%20the%20export%20admin%20audit%20log%20again%2C%20just%20to%20be%20sure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-860558%22%20slang%3D%22en-US%22%3ERe%3A%20Mailbox%20Forwarding%2C%20Admin%20Audit%20and%20logging.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860558%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20are%20the%20available%20methods%20to%20get%20the%20logs.%20But%20not%20every%20operation%20will%20be%20visible%20there%20as%20some%20things%20are%20considered%20client-side%2C%20and%20are%20executed%20via%20MAPI%2FEWS%20calls%20instead%20of%20PowerShell.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hey Guys, 

 

We have a user whos mailbox was set to forward messages to a different email address (new email address for the user, separate mailbox, separate tenant) and the option for "DeliverToMailboxAndForward" was not set. 

 

However the mailbox itself where the user wanted the emails forwarded to did not exist, so the messages were permanently lost. 

 

At this time we would like to find out who enabled forwarding for the user, we've checked admin audit logging and azure logging, and so far no luck. 

 

Is there a way to tell if the user setup forwarding themselves? i am hoping there is an easy way to determine this, otherwise its a call to microsoft. 

 

This all happened well within the last 30 days. 

 

Users mailbox is on exchange online. 

 

Thanks, 

 

Robert 

4 Replies
Highlighted

@mostafa_ghorbani 

 

***THIS SITE IS A SCAM*** It passed virus total but it looks like its selling stuff to me. PLEASE DO NOT WASTE MY TIME WITH CRAPPY Sites list this!.

Highlighted

I'd suggest you check the audit logs in the EAC as well, as the logs in the SCC often fail to display all events. If you are not finding any entries in the admin log, then it's the user who configured the forwarding.

Highlighted

@Vasil Michev 

Thanks for the response as always. I checked the admin audit logs in exchange online both using the command line and via the reports and am not seeing anything. My ticket with Microsoft didn't go far in terms of what happened.

 

However i did some additional testing and was able to find that a non admin user did have that specific change logged in the admin audit log, so i am not sure. When i test in my work tenant and my test tenant i am seeing those changes logged except for these users. 

 

The only thing i can think of is that change occurred more than 90 days ago, but honestly i have seen plenty of other things not caught by admin audit logging. So i am going to chalk this up to another office 365 oddity. 

 

Do you know of another way of checking the EAC Logs? I know of command line and the audit logs from the EAC >> Compliance >> Auditing. I am going to try running the export admin audit log again, just to be sure. 

 

Robert 

Highlighted

Those are the available methods to get the logs. But not every operation will be visible there as some things are considered client-side, and are executed via MAPI/EWS calls instead of PowerShell.