I'm dealing with a strange situation where one of our shared intern accounts is missing a significant number of emails. We use these accounts for continuity, and multiple staff members use them by changing passwords and managing MFA. These interns often forward emails from their personal accounts to this shared account. Now, it appears that a large batch of emails has disappeared. An audit search only shows one deletion from the relevant period, which has me thinking that perhaps someone set up a rule to forward and delete emails. It doesn't seem malicious since many other messages are still there. Is there a way to run audit searches in Purview to investigate what happened to these missing emails?
1 Answer
Just a heads up, audit logs are retained for 180 days by default now. If you have E5 licenses, they can be kept for up to a year. Are you looking to recover the missing emails or just figure out what happened? For recovery, having backups is key, but it sounds like your business may need a better backup solution.
We do have backups, but they showed empty too. That's why I was confused at first; I've never encountered something like this before.