May 14 2020
- last edited on
Feb 19 2021
Stumbled accross two problems with Security & Compliance alert.
One is - I'm testing alert for forwarding / flow that forwards emails outside of the company - this seems to work with some big delay, and maybe it wouldn't be an issue however appeared that it only works for OWA created rules - not by the ones created in Outlook - is there a way to track such rules as well in this portal?
Second thing is I've created rule that - in my understanding - set up a full access on a mailbox - activity "Activity is AddMailboxPermission", but seems it doesn't work, I've set up these permissions on one user mailbox and one shared - and see nothing in the alerts, am I doing this well?
While I was showing to my colleague it doesn;t work he added permissions to some mailbox and we've seen this action in alerts - so seems that there is a bigger delay than I thought for these policies to become effective.
My other concern is how this flow search works, as as of now I am not aware of any of the PS cmdlet giving me the exact mechanism of a flow, so not sure how MS covered that - I mean if it really works, as many things are given to prod and do not work as expected.
Disclaimer: I know how to track these in PowerShell - I wrote scripts already, however I would like to leverage mechanisms and alerting provided by MS for o365 rather than using custom solutions. However so far, seems I would need to have some runbooks as so far haven't found solutions for these.
Appreciate your help,
May 16 2020 08:49 AMSolution
The alerts rely on events in the Unified audit log, which are nowhere near being real-time. In other words delays are expected. And yes, the "forwarding" alert only applies to specific types of forwarding, it doesn't cover all scenarios.