URGENT!! M365 Admins deleting email and Teams chat content

%3CLINGO-SUB%20id%3D%22lingo-sub-2688996%22%20slang%3D%22en-US%22%3EURGENT!!%20M365%20Admins%20deleting%20email%20and%20Teams%20chat%20content%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688996%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20never%20reached%20out%20to%20any%20MS%20forums%20before%2C%20but%20I%20desperately%20need%20help%20please%20ASAP.%26nbsp%3B%20I%20am%20a%20M365%20Admin%20with%20Global%20Admin%20access%20and%20am%20fairly%20new%20to%20PS.%26nbsp%3B%20I%20am%20currently%20investigating%20two%20M365%20Admins%20with%20Global%20Access%20and%20the%20following%20activities%20I've%20seen%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20One%20of%20the%20Admins%20went%20into%20my%20mailbox%20and%20deleted%20an%20email.%26nbsp%3B%20See%20the%20below%20script%20I%20tried%20to%20use%20to%20find%20out%20if%20this%20M365%20Admin%20has%20ever%20had%20to%20my%20mailbox%2C%20under%20his%20name%20or%20otherwise.%26nbsp%3B%20I'm%20not%20sure%20what%20the%20results%20mean%20for%20this%20M365%20Admin.%26nbsp%3B%20I%20see%20%22NT%20AUTHORITY%2FSELF%22%20below.%26nbsp%3B%20What%20does%20this%20mean%2C%20if%20anything%3F%26nbsp%3B%20Is%20the%20M365%20Admin%20granting%20himself%20mailbox%20access%20under%20this%20generic%20%22user%22%20name%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22techietab_0-1629997317778.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F306063iB3D2A5CD5A0A24E6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22techietab_0-1629997317778.png%22%20alt%3D%22techietab_0-1629997317778.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20I've%20noticed%20chunks%20of%20Teams%20chat%20content%20was%20deleted%20in%20my%201%3A1%20chats%20and%20group%20chats%20with%20these%20M365%26nbsp%3BAdmins.%26nbsp%3B%20Can%20someone%20please%20guide%20me%20to%20a%20PS%20script%20I%20can%20use%20to%20capture%20the%20deletions%20by%20these%20two%20M365%20Admins%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20I%20read%20somewhere%20that%20there%20is%20a%20file%20on%20the%20Admins%20PC%20that%20captures%20all%20PS%20scripts%20that%20person%20ran%3F%26nbsp%3B%20And%20what%20do%20you%20think%20of%20the%20Audit%20option%20in%20M365%20Compliance%3F%26nbsp%3B%20I%20thought%20PS%20was%20more%20robust%20and%20would%20give%20the%20results%20I%20need%20instead%20of%20the%20Audit%20option%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20know%20how%20to%20catch%20these%20two%20M365%20Admins%20so%20I%20am%20open%20to%20all%20suggestions%20at%20this%20point.%26nbsp%3B%20If%20anyone%20has%20PS%20scripts%20I%20could%20use%20as%20a%20model%2C%20will%20you%20please%20share%20those%20with%20me%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2688996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2689098%22%20slang%3D%22en-US%22%3ERe%3A%20URGENT!!%20M365%20Admins%20deleting%20email%20and%20Teams%20chat%20content%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2689098%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1021150%22%20target%3D%22_blank%22%3E%40techietab%3C%2FA%3E%26nbsp%3B%22NT%20AUTHORITY%2FSELF%22%20represents%20the%20mailbox%20owner.%20So%20there's%20nothing%20wrong%20with%20this%20permission%20being%20set.%20You%20can%20run%20a%20%22Non-Owner%20Mailbox%20Access%20Report%22%20which%20probably%20gives%20the%20clearest%20info%20on%20if%20anyone%20but%20an%20owner%20has%20accessed%20any%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20Teams%2C%20administrators%20generally%20do%20not%20have%20access%20to%20delete%201%3A1%20chat%20messages%2C%20unless%20they%20actually%20sign%20in%20under%20your%20account.%20They%20could%20set%20up%20a%20retention%20policy%20to%20delete%20chat%20messages%2C%20which%20would%20generally%20delete%20all%20chat%20messages%20after%20a%20certain%20period.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2689718%22%20slang%3D%22en-US%22%3ERe%3A%20URGENT!!%20M365%20Admins%20deleting%20email%20and%20Teams%20chat%20content%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2689718%22%20slang%3D%22en-US%22%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F960791%22%20target%3D%22_blank%22%3E%40pvanberlo%3C%2FA%3E%20I%20appreciate%20your%20quick%20reply!%3C%2FLINGO-BODY%3E
New Contributor

I've never reached out to any MS forums before, but I desperately need help please ASAP.  I am a M365 Admin with Global Admin access and am fairly new to PS.  I am currently investigating two M365 Admins with Global Access and the following activities I've seen:  

 

1.  One of the Admins went into my mailbox and deleted an email.  See the below script I tried to use to find out if this M365 Admin has ever had to my mailbox, under his name or otherwise.  I'm not sure what the results mean for this M365 Admin.  I see "NT AUTHORITY/SELF" below.  What does this mean, if anything?  Is the M365 Admin granting himself mailbox access under this generic "user" name?  

 

techietab_0-1629997317778.png

 

2.  I've noticed chunks of Teams chat content was deleted in my 1:1 chats and group chats with these M365 Admins.  Can someone please guide me to a PS script I can use to capture the deletions by these two M365 Admins?  

 

I thought I read somewhere that there is a file on the Admins PC that captures all PS scripts that person ran?  And what do you think of the Audit option in M365 Compliance?  I thought PS was more robust and would give the results I need instead of the Audit option?  

 

I need to know how to catch these two M365 Admins so I am open to all suggestions at this point.  If anyone has PS scripts I could use as a model, will you please share those with me?  

 

Thank you!  

 

 

2 Replies

@techietab "NT AUTHORITY/SELF" represents the mailbox owner. So there's nothing wrong with this permission being set. You can run a "Non-Owner Mailbox Access Report" which probably gives the clearest info on if anyone but an owner has accessed any mailboxes.

 

As for Teams, administrators generally do not have access to delete 1:1 chat messages, unless they actually sign in under your account. They could set up a retention policy to delete chat messages, which would generally delete all chat messages after a certain period. They can of course delete their own messages if the correct messaging policies are set. There's generally no way to recover those unless some for of legal hold or retention is enabled.

Thank you @pvanberlo I appreciate your quick reply!