My Office 365 Business/Exchange account was hacked and the hacker added a IPhone to the service to monitor my emails. I discovered the device while performing a system audit to learn how to manage the overly complex system/software for which I signed up and am woefully incapable of managing :-(. Anyway, via dumb luck, I discovered this device, In the Admin Center>Security & Compliance>Data Loss Prevention> Device Mgmt area it showed me the device, it is an IPhone and I am a Samsung User so it was obvious, when it logged in and was granted access (2 times) and the associated IMEI! I had an option to Wipe Device and being panicked, I wiped it successfully. However, I never copied the IMEI info because I thought the information would stay in that field for historical purposes.
One of 2 things occured, the user who I wiped had access to the system live and realized I was on to them and went in and deleted these records, or Microsoft does not store them. Either Way, I have been talking to Microsoft and the techs are not able to help, so far. But, they are trying. I think it is a hyper complex system with a large amount of data collection systems/capabilities and thus I need someone with this specific knowledge to help me understand where exactly I can go to find this historical evidence so I can prove who hacked my email.
I know who it was and even have some evidence, i.e. Device ID, but I would love to recover the historical records and the EMEI information too. It also appears that my Audit Logs were disabled or not turned on and I only turned them on the day after I wiped the device, 9/15.
I have log files from the wipe verification and a final log report I luckily pulled are attached which contain the device ID but no IMEI and the Device ID is on 32 characters and I believe they are supposed to be 40. I was also able to pull a Apple Cert Request.CSR file but I can not figure out how to read it nor could the MS tech. Unfortunately, they are not supported file types in the community. Let me know if I can email them. They are .txt and .csr and 2 emails verifying actions taken.
So, does anyone know how/if I have a hope of recovering this information within Office 365's data tracking capabilities, pretty please?