SOLVED

Microsoft does not consider Security and Compliance Center to be credible

%3CLINGO-SUB%20id%3D%22lingo-sub-233459%22%20slang%3D%22en-US%22%3EMicrosoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233459%22%20slang%3D%22en-US%22%3EOpened%20ticket%20regarding%20a%20specific%20email%20that%20did%20not%20show%20up%20on%20a%20message%20trace%20report.%20Per%20response%20from%20Microsoft%20directly%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22As%20message%20trace%20in%20Office%20365%20Security%20%26amp%3B%20Compliance%20Center%20is%20a%20redesigned%20tool%20which%20focus%20on%20making%20Message%20Trace%20more%20effective%20and%20easier%20for%20both%20professional%20and%20part-time%20email%20admins%2C%20it%20is%20still%20in%20%E2%80%98preview%E2%80%99%20status.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20don%E2%80%99t%20ensure%20this%20tool%20is%20as%20credible%20as%20Message%20Trace%20in%20the%20Exchange%20Admin%20Center%20(EAC).%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20kind%20of%20response%20is%20that%3F%20And%20they%20want%20to%20close%20the%20ticket.%20%3Aface_with_tears_of_joy%3A%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-233459%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-236304%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-236304%22%20slang%3D%22en-US%22%3EFive%20requests%20now%20for%20a%20manager%20via%20that%20ticket%20and%20can't%20get%20one%20to%20respond!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234329%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234329%22%20slang%3D%22en-US%22%3EScott%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI've%20now%20asked%20for%20management%20escalation%20on%20that%20ticket%20four%20times%2C%20the%20manager%20has%20been%20CC'ed%20since%20the%20second%20reply.%20The%20original%20tech%20keeps%20responding%20wanting%20to%20close%20the%20ticket.%20Not%20one%20response%20from%20anyone%20with%20authority.%20If%20there%20is%20an%20escalation%20process%2C%20clearly%20this%20guy%20doesn't%20know%20it%20and%2C%20as%20typical%2C%20working%20with%20Office%20365%20support%20has%20been%20atrocious.%20It's%20the%20reason%20we%20have%20a%20CSP%20and%20are%20also%20going%20through%20them%20as%20well%2C%20but%20I%20figured%20Microsoft%20would%20show%20even%20the%20smallest%20sign%20of%20care%20directly.%20How%20wrong%20I%20was.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233806%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233806%22%20slang%3D%22en-US%22%3ERight%2C%20so%20you%20are%20confirming%20my%20last%20bit%20--%20that%20longer%20term%20storage%20doesn't%20seem%20to%20have%20the%20most%20recent%20bits%20in%20your%20case%20for%20some%20reason.%20I%20would%20normally%20expect%20it%20to%20have%20it%20within%204%20hours%20of%20the%20email%20being%20sent%2C%20but%20I%20don't%20know%20what%20the%20exact%20SLA%20is%3B%20there%20could%20be%20a%20service%20issue%20in%20your%20region.%20Regardless%2C%20I'm%20confirming%3A%20there%20is%20an%20escalation%20process%20for%20looking%20into%20this%20type%20of%20issue%2C%20and%20so%20if%20it%20still%20isn't%20resolved%2C%20it's%20absolutely%20something%20we%20can%20look%20into.%20I%20have%20shared%20this%20information%20with%20the%20support%20team%20working%20your%20issue%2C%20so%20let%20us%20know%20if%20this%20doesn't%20get%20you%20unstuck.%20I%20apologize%20for%20any%20inconvenience.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233802%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233802%22%20slang%3D%22en-US%22%3E%3CP%3EScott%2C%20I%20appreciate%20your%20reply.%20Note%2C%20however%2C%20that%20the%20credibility%20statement%20was%20taken%20verbatim%20directly%20from%20a%20Microsoft%20employee.%26nbsp%3B%20If%20you%20have%20access%20to%20review%20the%20tickets%2C%20the%20ticket%20%23%20was%20provided.%20I%20tried%20to%20get%20the%20matter%20escalated%20and%20the%20reply%20was%20requesting%20to%20close%20the%20ticket%20as%20the%20issue%20was%20not%20%22recurring%22%20and%20there%20was%20nothing%20the%20engineer%20could%20do.%20I%20requested%20management%20escalation%20no%20less%20than%20three%20times.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20this%20incident%2C%20the%20email%20in%20question%20was%20sent%20approximately%20four%20hours%20before%20the%20report%20was%20ran%2C%20and%20it%20was%20a%2090%20day%20report.%20The%20filters%20have%20been%20verified%20and%20the%20email%20did%20not%20appear%20on%20the%20report.%20This%20means%20the%20reporting%20is%20not%20accurate%20without%20some%20sort%20of%20warning.%20Period.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233798%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233798%22%20slang%3D%22en-US%22%3EOne%20more%20bit%3A%20The%20longer%20term%20storage%20does%20often%20have%20short%20term%20data%20as%20well%20(not%20just%20%26gt%3B10%20days%20as%20implied)%2C%20but%20it%20does%20take%20longer%20to%20get%20those%20bits.%20So%20if%20you%20look%20at%20a%20date%20range%20of%20the%20last%2030%20days%2C%20for%20example%2C%20you'll%20be%20actually%20searching%20long%20term%20data%20storage%2C%20which%20will%20take%20longer%2C%20and%20give%20you%20the%20CSV%20report%20vs.%20instant%20results.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233796%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233796%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Message%20Trace%20features%20in%20SCC%20and%20EAC%20use%20exactly%20the%20same%20back%20end%20query%20mechanisms.%26nbsp%3B%20So%20it%20is%20literally%20impossible%20for%20the%20data%20to%20exist%20in%20one%20and%20not%20the%20other.%26nbsp%3B%20What%20can%20happen%2C%20however%2C%26nbsp%3Bis%20that%20the%20result%20could%20be%20only%20one%20of%20the%20two%20data%20repositories%20that%20both%20admin%20experiences%20use.%26nbsp%3B%20Specifically%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3Eshort%20term%20data%20storage%20(7-10%20day)%3C%2FLI%3E%0A%3CLI%3Elonger%20term%20data%20store%20(%26gt%3B10days%20to%2090%20days)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EDepending%20on%20how%20you%20structure%20your%20query%20in%20each%20experience%20determines%20which%20source%20is%20searched%20-%20we%20never%20search%20both%20at%20the%20same%20time.%26nbsp%3B%20We%20think%20we%20made%20it%20much%20clearer%20in%20the%20new%20experience%2C%20but%20we%20also%26nbsp%3Bmade%20it%20smarter%20at%20picking%20the%20best%20option%20vs.%20requiring%20an%20explicit%20decision.%26nbsp%3B%20If%20someone%20is%20used%20to%20an%20explicit%20decision%2C%26nbsp%3BI%20can%20see%20why%20they%20might%20think%20the%20back%20end%20has%20changed.%3C%2FP%3E%0A%3CP%3ENow%2C%20depending%20which%26nbsp%3Bdata%20store%20doesn't%20have%20the%20message%20in%20question%2C%20it%20could%20be%20due%20to%20a%20data%20ingestion%20issue%20for%20that%20particular%20source%2C%20and%20should%20be%20troubleshot%20accordingly%20and%20escalated%20if%20necessary.%26nbsp%3B%20We%20do%20investigate%20issues%20of%20this%20nature%2C%20though%20we'll%20need%20to%20figure%20out%20which%20data%20storage%20and%20how%20long%20since%20the%20message%20was%20sent.%26nbsp%3B%20%3CSTRONG%3EWe%20do%20absolutely%20care%20about%20the%20credibility%20of%20Message%20Trace.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233706%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233706%22%20slang%3D%22en-US%22%3E%3CP%3ETicket%20%2311076270%20if%20they%20have%20access%20to%20the%20details.%20I've%20gotten%20nowhere%20with%20MS%20over%20the%20past%203%20days.%20Can't%20say%20that's%20not%20typical.%20We%20also%20have%20our%20MS%20reps%20looking%20into%20this%20as%20well.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233705%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233705%22%20slang%3D%22en-US%22%3E%3CP%3EYes.%20This%20was%20a%20report%20that%20was%20ran%20for%20management%20using%20SCC.%20It%20was%20identified%20after%20the%20fact%20that%20an%20email%20was%20sent%20that%20did%20not%20show%20up%20on%20the%20report.%20It%20appears%20SCC%20pulls%20from%20some%20data%20warehouse%20that%20has%20a%20delay%20compared%20to%20EAC.%20My%20issue%20is%20with%20Microsoft's%20response%20that%20SCC%20is%20not%26nbsp%3B%3CSTRONG%3Ecredible%3C%2FSTRONG%3E%20and%20the%20excuse%20that%20it's%20a%20preview%2C%20so%20that's%20somehow%20to%20be%20expected.%20First%2C%20it's%20not%20preview%20and%20went%20GA%20on%202%2F22%2F18.%20Second%2C%20if%20the%20search%20will%20not%20encompass%20emails%20sent%20within%20a%20certain%20period%20of%20the%20report%20being%20ran%2C%20it%20would%20be%20so%20easy%20to%20detect%20this%20and%20report%20to%20the%20user%20with%20a%20big%20red%20flag%20that%20the%20report%20%22may%20not%20contain%20emails%20sent%20before%20%5Blast%20data%20warehouse%20event%5D.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233627%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233627%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Justin%2C%20does%20that%20message%20shows%20up%20in%20the%20normal%20Message%20Tracking%20under%20EAC%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-233535%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20does%20not%20consider%20Security%20and%20Compliance%20Center%20to%20be%20credible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233535%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20probably%20one%20of%20the%20vendor%20agents...%20their%20priority%20is%20closing%20the%20tickets%2C%20not%20resolving%20them%20%3A)%3C%2Fimg%3E%20Let%20me%20ping%20few%20folks%20on%20the%20Exchange%20team%2C%20see%20what%20they%20think%20about%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Opened ticket regarding a specific email that did not show up on a message trace report. Per response from Microsoft directly:

"As message trace in Office 365 Security & Compliance Center is a redesigned tool which focus on making Message Trace more effective and easier for both professional and part-time email admins, it is still in ‘preview’ status.

We don’t ensure this tool is as credible as Message Trace in the Exchange Admin Center (EAC)."


What kind of response is that? And they want to close the ticket. :face_with_tears_of_joy:
10 Replies

That's probably one of the vendor agents... their priority is closing the tickets, not resolving them :) Let me ping few folks on the Exchange team, see what they think about it.

Hello Justin, does that message shows up in the normal Message Tracking under EAC? 

Yes. This was a report that was ran for management using SCC. It was identified after the fact that an email was sent that did not show up on the report. It appears SCC pulls from some data warehouse that has a delay compared to EAC. My issue is with Microsoft's response that SCC is not credible and the excuse that it's a preview, so that's somehow to be expected. First, it's not preview and went GA on 2/22/18. Second, if the search will not encompass emails sent within a certain period of the report being ran, it would be so easy to detect this and report to the user with a big red flag that the report "may not contain emails sent before [last data warehouse event]."

Ticket #11076270 if they have access to the details. I've gotten nowhere with MS over the past 3 days. Can't say that's not typical. We also have our MS reps looking into this as well. 

The Message Trace features in SCC and EAC use exactly the same back end query mechanisms.  So it is literally impossible for the data to exist in one and not the other.  What can happen, however, is that the result could be only one of the two data repositories that both admin experiences use.  Specifically:

  1. short term data storage (7-10 day)
  2. longer term data store (>10days to 90 days)

Depending on how you structure your query in each experience determines which source is searched - we never search both at the same time.  We think we made it much clearer in the new experience, but we also made it smarter at picking the best option vs. requiring an explicit decision.  If someone is used to an explicit decision, I can see why they might think the back end has changed.

Now, depending which data store doesn't have the message in question, it could be due to a data ingestion issue for that particular source, and should be troubleshot accordingly and escalated if necessary.  We do investigate issues of this nature, though we'll need to figure out which data storage and how long since the message was sent.  We do absolutely care about the credibility of Message Trace.

One more bit: The longer term storage does often have short term data as well (not just >10 days as implied), but it does take longer to get those bits. So if you look at a date range of the last 30 days, for example, you'll be actually searching long term data storage, which will take longer, and give you the CSV report vs. instant results.

Scott, I appreciate your reply. Note, however, that the credibility statement was taken verbatim directly from a Microsoft employee.  If you have access to review the tickets, the ticket # was provided. I tried to get the matter escalated and the reply was requesting to close the ticket as the issue was not "recurring" and there was nothing the engineer could do. I requested management escalation no less than three times.

 

As for this incident, the email in question was sent approximately four hours before the report was ran, and it was a 90 day report. The filters have been verified and the email did not appear on the report. This means the reporting is not accurate without some sort of warning. Period.

best response confirmed by Jennifer Sveigdalen (Occasional Visitor)
Solution
Right, so you are confirming my last bit -- that longer term storage doesn't seem to have the most recent bits in your case for some reason. I would normally expect it to have it within 4 hours of the email being sent, but I don't know what the exact SLA is; there could be a service issue in your region. Regardless, I'm confirming: there is an escalation process for looking into this type of issue, and so if it still isn't resolved, it's absolutely something we can look into. I have shared this information with the support team working your issue, so let us know if this doesn't get you unstuck. I apologize for any inconvenience.
Scott,

I've now asked for management escalation on that ticket four times, the manager has been CC'ed since the second reply. The original tech keeps responding wanting to close the ticket. Not one response from anyone with authority. If there is an escalation process, clearly this guy doesn't know it and, as typical, working with Office 365 support has been atrocious. It's the reason we have a CSP and are also going through them as well, but I figured Microsoft would show even the smallest sign of care directly. How wrong I was.
Five requests now for a manager via that ticket and can't get one to respond!