I'm having a hard time finding an email that a user insists they receive every month. As a Global Admin, can logs in Exchange Online or Defender actually be deleted? If so, would that make it impossible to trace the email, even when using KQL queries?
1 Answer
It sounds like you're worried about log deletions, but it’s more likely that the email is just tough to find. There are a few things that could make the search tricky, like email aliases or server-side groups. Have you tried searching through the mailbox directly, without specifying recipients? Also, what’s your main reason for looking for this email? If you can't find it, it might be worth considering that the user never actually received it.
I'm trying to find an email from a specific sender's domain using a simple query that works for other emails. I've checked KQL queries, Defender Explorer, and Exchange Trace, but still no luck.