You can use Administrator Audit Logging in Exchange Server to log when a user or administrator makes a change in your organization.  We won’t talk here about this functionality, but about specific question I had some time ago. For more information about administrative audit log review 🔗How to use administrator audit logging in Exchange Server

For this, we can use New-AdminAuditLogSearch and Search-AdminAuditLog. New-AdminAuditLogSearch cmdlet searches the admin audit log just like the Search-AdminAuditLog cmdlet. However, instead of displaying the results of the search in the Exchange Management Shell, the New-AdminAuditLogSearch cmdlet performs the search and then sends the results to a recipient you specify via an email message (per article).

Imagine a situation, when administrator creates a report request via EAC and points report to be send to incorrect recipient. In my case, a customer complained, that his administrator accidently selected wrong distribution group to send this report. That happens. But how can we prevent this report from being delivered?

In Exchange Server, you can use Get-AuditLogSearch cmdlet to view existing admin audit log export requests:

But there’s no obvious option to remove request.

The first thing that came in mind to my customer – to create a transport rule, that will remove this message from transport pipeline. But this feature doesn’t send this message though transport. So, they ended with removing this specific message from exact mailboxes when it was already created where (delivered). Not a good option.

📌So, the question is, how this situation can be prevented.

Exchange contains several special system mailboxes known as arbitration mailboxes. You can learn more about them in this article 🔗Recreate missing arbitration mailboxes

Let’s take a look on what is happening, when you create export request for administrator audit logs.

1. Create a report from powershell (EAC also can be used) with 🔗New-AdminAuditLogSearch:

New-AdminAuditLogSearch -StartDate 05/20/2023 -EndDate 05/29/2023 -StatusMailRecipients administrator@contoso.com -Name “Test1 admin audit log”

Output can be similar to this one:

2. Request is asynchronous. That means, we created a request, that will be picked up later and processed. Similar things happen when you create mailbox move or export request, for example. This export request was created upon discovery search mailbox – SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}

3. Let’s investigate some of it’s properties:

search-mailbox “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}”  -EstimateResultOnly

We have some items inside  – ResultItemsCount. If you will create new administrative audit log search you will see this property will increase:

More statistics will get some info on AdminAuditLogSearch folder. We have 2 requests now. If you will create a new one, number will increase.

Get-MailboxFolderStatistics  “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}” | Sort-Object ItemsInFolder -Descending | ft FolderPath, ItemsInFolder, FolderId

4. We can remove all content with search-mailbox cmdlet. But we can also remove something valuable. Unfortunately, Compliance and Audit cmdlet doesn’t allow to work with discovery mailbox. At least with current version I used at the moment (Exchange 2019 CU 13).

We can provide full access permissions to our account and wait, until this mailbox will be connected via Autodiscover:

Add-MailboxPermission “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}” -User administrator -AccessRights FullAccess

5. We cannot clearly identify specific requests if we have several ones. But if it’s critical, we can use MFCMAPI utility to view detailed properties for each request:

Remove required request from Outlook.

P.S. You can find some information about MFCMAPI in 🔗this blog post.

End