Category Archives: Microsoft 365

Search Mailbox Audit Logs in Office 365

There may be situations when end user(s) report missing emails from their mailbox. It may be possible that they have inadvertently deleted the emails, but want to know the cause.

If we have mailbox auditing enabled, we can find out the cause. The auditing should be enabled by default in Microsoft 365.

The first step is to track the emails and see, if there were emails delivered/Sent to/from user’s mailbox. We can use tracking logs for this.

To check the emails received –

Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020 -Status Delivered

To check the email received –

Get-MessageTrace -RecipientAddress User@domain.com -StartDate 12/10/2020 -EndDate 12/18/2020

If we got the emails in result and these emails are not in user’s mailbox, then we need to investigate further.

Check if the mailbox Audit logs are enabled for user.

Get-Mailbox User@domain.com | ft PrimarySMTPAddress, AuditEnabled

Get the Mailbox Folder Statics to check if there are emails in Deleted items.

Get-MailboxFolderStatistics "User@domian.com" -FolderScope RecoverableItems -IncludeOldestAndNewestItems | Format-List Name,FolderAndSubfolderSize

If auditing is enabled, we can check the mailbox audit logs and find the delete cause.

Search the Audit Logs for the user:-

Search-MailboxAuditLog User@domain.com -ShowDetails -StartDate 12/10/2020 -EndDate 12/18/2020 -ResultSize 250000 | Export-Csv -Path C:\Temp\Mailbox_Audit_Logs.csv -Notype

Open the audit logs in excel and then filter the Operation column to filter for deleted events.

Here, we can see that the mailbox owner have deleted the emails from “Sent Items” folder.

We can also run the below script to find the Audit Logs –

https://docs.microsoft.com/en-us/office365/troubleshoot/audit-logs/mailbox-audit-logs

In next article, we will learn how to restore deleted emails back to user’s mailbox.

Bypassing Focused Inbox

In Microsoft 365 and Outlook.com, Focused Inbox separates your inbox into two tabs – Focused and Other.

All the important emails are on Focused tab and other promotional/bulk/auto generated emails are on Other tab.

Outlook uses Artificial Intelligence to separate emails into Focused and Other tab.

We can control this setting from “Outlook on Web” or using “Microsoft 365” PowerShell.

  1. Disable Focused Inbox on Outlook on Web :-

Login Outlook on Web -> Mail -> Layout -> Don’t sort my messages.

2. Disable Focused Inbox on Outlook :-

Users’ can also move and adjust the Focused Inbox settings using Outlook.

In the View tab -> Click on “Show Focused Inbox”

3. To change settings for some emails :-

From your inbox, select the Focused or Other tab, and then right-click the message you want to move.

Move to Focused – If you want only the selected message moved.

Always Move to Focused – If you want all future messages from the sender to be delivered to the Focused tab.

4. To disable Focused Inbox using Microsoft 365 PowerShell :-

Connect Microsoft 365 PowerShell.

To view Focused Inbox Setting –

Get-FocusedInbox -Identity User@domain.com

To disable focused Inbox –

Set-FocusedInbox -Identity User@domain.com -FocusedInboxOn $false

To enable focused Inbox –

Set-FocusedInbox -Identity User@domain.com -FocusedInboxOn $true

5. Disable/Enable Focused Inbox at the organization level :-

To view the settings –

Get-OrganizationConfig | fl Focused*

To disable the Focused Inbox at organization level –

Set-OrganizationConfig -FocusedInboxOn $false

To enable the Focused Inbox at Organization level –

Set-OrganizationConfig -FocusedInboxOn $true

6. Force a email to show in Focused Inbox –

There may be a requirement sometime to show an important email in users’ Focused Inbox, like a HR, Payroll communication.

We can create a transport rule and force this using a header “X-MS-Exchange-Organization-BypassFocusedInbox”

Create using UI :-

Create using PowerShell –

New-TransportRule -Name "Bypass Focused Inbox" -From "Payroll@domain.com" -SetHeaderName "X-MS-Exchange-Organization-BypassFocusedInbox" -SetHeaderValue "true"

[Get-MailboxFolderPermission], ManagementObjectNotFoundException

When you want to get the permissions list from a mailbox calendar or want to set permissions but you get below error.

Get-MailboxFolderPermission User@domain.com:\calendar

The operation couldn’t be performed because ‘User@domain.com:\calendar’ couldn’t be found.

    + CategoryInfo          : NotSpecified: (:) [Get-MailboxFolderPermission], ManagementObjectNotFoundException

    + FullyQualifiedErrorId : [FailureCategory=Cmdlet ManagementObjectNotFoundException],Microsoft.Exchange.Management.Store

   Tasks.GetMailboxFolderPermission

This is because the mailbox language is not English and the Calendar folder name has changed.

You can simply get the language of mailbox using below command.

Get-Mailbox User@domain.com | select Languages

Then based on the language, you can change the name of Calendar folder, in my case it should be “Kalender”.

Get-MailboxFolderPermission User@domain.com:\Kalender

How to create and apply retention policies and check Archive mailbox Size.

In the previous Article, we explained what is online Archive and how to enable it. In this article we will understand how to move data to Online Archive and how to check size of Online Archive.

Once you have Online Archive enabled, you can assign a retention policy to the mailbox to move data to Archive.

Retention Policies are made up of Retention Policy Tags, which defines how long to keep the email in your mailbox before moving it to Archive or Deleting the email.

There are some default “Retention Polices” available and you can also create one as per your need.
To see the default retention policies
Login – Exchange Admin Center -> Compliance Management – Retention Policies.

Default Retention Policies

You can also run below command on Exchange Online PowerShell to view Retention Policies and Tags.

Get-RetentionPolicy
Get-RetentionPolicyTag

If the default policy doesn’t suit your need, you can create a new one.

Create Retention Policy Tag –

New-RetentionPolicyTag "3 Year Move To Archive" -Type All -RetentionEnabled $true -AgeLimitForRetention 1095 -RetentionAction MoveToArchive

Create Retention Policy –

New-RetentionPolicy "3 Year Move To Archive - Policy" -RetentionPolicyTagLinks "3 Year Move To Archive"

Apply policy to a user –

Set-Mailbox -Identity User@domain.com -RetentionPolicy "3 Year Move To Archive - Policy"

Once the policy is applied to the user you can Start Managed Folder Assistant on the user’s mailbox to start Archive.

Once this is done, you can check the Archive size to see if the policy is working.

Get-MailboxStatistics User@domain.com -Archive

Exchange Online finds the archive mailbox using ArchiveGUID. Once Archive is enabled, you can see this GUID in mailbox properties.

The auto-expanding archive replaces the single GUID that connects the mailbox to the archive with a linked list of GUIDs. Each of the GUIDs points to a separate auxiliary archive of up to 50 GB.

We can see the GUID details using below command –

Get-ExoMailbox –Identity User@domain.com -Properties MailboxLocations | Select -ExpandProperty MailboxLocations

We can get GUID of the mailbox using below commands –

Get-MailboxLocation -User User@domain.com | Sort MailboxLocationType -Descending | FT MailboxGUID, MailboxLocationType

Once we have GUID we can find the mailbox size.

Get-ExoMailboxStatistics -Identity 2f2a0b11-1220-456e-bde6-8cbdca3fe17b | FT ItemCount, TotalItemSize

What is Office 365 Archive/ Microsoft 365 In-Place Archive

Enterprise plans (E3 – E5) grant 100 GB primary mailbox quotas to users, If primary mailbox reaches its quota limit (100GB), archiving in Office 365 (also called In-Place Archiving) provides users with additional mailbox storage space. An archive mailbox can be defined as an online-only extension of the primary mailbox.

How to Enable Archive  –

  • On the Exchange Admin Center -> Select the recipient -> Mailbox Features, you will see the option to enable Archive for mailbox.
  • On the “Security & Compliance Center” https://protection.office.com.
    • Under Information governance > Archive, select the recipient and you can enable/disable the Archive.

You can also enable Archive using PowerShell.

Enable-Mailbox -Identity User@domain.com -Archive -AutoExpandingArchive

The Archive mailbox Size is 50GB, and you should have AutoExpand enabled to increase the size of Archive automatically.
Once, Archive is enabled, we will see the Archive mailbox under your primary mailbox (Left bottom of your mailbox).

You can also disable Archive, on EAC or Compliance portal, by just clicking Disable [same as we enabled.]
Or using the below PowerShell command.

Disable-Mailbox -Identity User@domain.com -Archive

Although, disabling an archive prevents user access to the archive, it does not remove the content from the database where the archive data is stored. Instead, a 30-day retention period starts.

During this time, you can recover the archive and reconnect it to the primary mailbox by re-enabling the archive. Any content in the archive mailbox will be removed from the database once the 30-day deleted mailbox retention period expires.

Pros and Cons of Archive Mailbox –

  • Archive mailboxes can only be accessed online. Outlook does not synchronize any archive folder into the OST. So, your Archive mailbox will not be as fast as your Primary Mailbox.
  • Searches can find items stored in archives but only if the user specifies that Outlook should search “All Mailboxes”.
  • ActiveSync clients cannot access an archive mailbox because the protocol does not support this type of resource.

So, consider above points before you decide, which emails should go to Archive.

In the next Article, we will see how to create and apply retention policies and check Archive mailbox size.

Error – We are preparing a mailbox for the user..

After assigning a license to Microsoft 365 user, you don’t see mailbox of user and see below error on the portal, under email section.

“We are preparing a mailbox for the user”

To resolve the issue, you can follow below steps.

  • Just remove license from user and wait for some time, re-assign the license. If you still don’t see mailbox, move to next step.
  • Under the Health -> Service Health -> Check if there is any incident reported for you tenant.
  • If not, Please run the below command and see if there is any error for the user and any service incident related to that.
  • Get-MsolUser -UserPrincipalName UserWithError@domain.com | select -ExpandProperty Errors
  • If you see error with user, you can run the below command to get the exact error for the user.
Get-MsolUser -UserPrincipalName UserWithError@domain.com | ft UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize -wrap 
  • In the error report you will find out the user and see the error, for any conflicting attribute, for example UPN or Country Code, etc.
  • If you Sync the attributes from On-prem AD, you can correct the attribute there or match the attribute with any healthy account to see the difference.
  • Once done, run an AD Sync Cycle and see if that resolve the issue.
  • If the issue is still not solved, you will have to log a case with MS support.
Get-MsolUser -HasErrorsOnly -All | ft DisplayName,UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize -wrap
 
Get-MsolUser -HasErrorsOnly | select DisplayName,UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} | Export-csv c:tempvalidationerrors.csv 
Recent Entries »