[German]I have recently received an information from a blog reader who is struggling with the fact that some of his users' Microsoft 365 accounts are sporadically deleting contacts.
Advertising
Microsoft 365 is increasingly proving to be an almost unmanageable permanent construction site, where users are constantly annoyed by malfunctions and bugs and administrators are driven to despair.
A reader report about deleted contacts
German blog reader Christian M. works in the IT department of a company that also uses Microsoft 365 in conjunction with Exchange Online. And there seem to be problems there at the moment.
The reader describes it as follows: "For a few days now, all contacts have suddenly been deleted from a handful of Microsoft M365 accounts. There is no recognizable pattern on the end user side, says Christian. The company uses clients with Windows and MacOS. Exchange Online and Microsoft M365 Standard Business licenses are used.
Log shows strange actions
The reader then looked at the logs in Wazuh. Wazuh is an open source security solution that is connected to the user's Microsoft 365 audit logs. In the log entries, the reader then noticed that suddenly a huge number of "MovedToDeletedItems" actions were recorded for a mailbox.
For each contact there was then a single entry showing that it had been moved from "\Contacts" to "\DeletedItems". When I asked the associated user whether everything was ok, the only result was that all contacts saved under the MS365 account had suddenly disappeared.
Advertising
Another user contacted the IT staff and reported that he could no longer encrypt emails via S/MIME on his smartphone. The background is probably that in this case the certificate is probably attached to the contact.
The "good thing" about this unfortunate situation is that you can restore the contacts from the recycle bin yourself, the reader notes. To do this, however, you have to be logged into OWA(*https://outlook.office.com/mail), where you can find and restore the contacts in the recycle bin under "People".
Root cause isn't known
Christian writes that he cannot identify a real cause or pattern that is responsible for the deleted contacts. What he has also noticed is that so far only accounts assigned to the following Microsoft servers ("OriginatingServer") are affected:
BEZP281MB3208 (15.20.4200.000)
BE0P281MB0099 (15.20.4200.000)
FR2P281MB2043 (15.20.4200.000)
FR2P281MB3246 (15.20.4200.000)
All accounts not (yet) affected are "hanging" on other servers. The blog reader suspects that these are the Exchange Online backend servers, which are assigned according to location. However, the reader states that they have never explicitly selected a location for the tenants in IT. And certainly no different locations have been assigned for individual users.
The reader writes that he does not know whether this effect is due to a Microsoft backend job or what is causing it. Some other users are also reporting this issue in comments.
Frank Carius wrote: It can be anything, but it is usually a client that is running crosswise, e.g. smartphone etc. There is a "Mailbox AuditLog" and as an admin you can use it to track who deleted what and when (you may have to activate this and you need rights to view it).
However, affected admins can determine the user, the IP address, the time, the user agent etc. in this way. These are "NOT" the AuditLogs, use the AzureAuditLogs, that provide changes to the UserObject itself. SignIn logs only reports logins, but we need the mailbox logs or AdminAuditLogs. These can be obtained via a "UniversalSearch" or Purview Portal.
Advertising
