Merk
Tilgang til denne siden krever autorisasjon. Du kan prøve å logge på eller endre kataloger.
Tilgang til denne siden krever autorisasjon. Du kan prøve å endre kataloger.
Use this article to investigate changes to mailbox rules in Exchange Online. It shows how to view a mailbox's current inbox and forwarding rules and how to search the Microsoft Purview audit log to identify who created, modified, or deleted those rules.
Use these methods to investigate:
- Changes to email forwarding rules
- Rules that cause emails to not appear in expected folders
- Unauthorized rule modifications
Before you begin
To investigate mailbox rule modifications, you need:
- The Audit Logs role assigned in Microsoft Purview
- To connect to Exchange Online PowerShell by using Connect-ExchangeOnline
How to identify mailbox rule modifications
Use these two essential commands to investigate mailbox rule changes.
Check current mailbox rules
This information shows:
- Current rule configuration: Rule configuration
- Rule actions: Move, delete, or forward
- Rule status: Enabled or disabled
To see what rules currently exist in a mailbox, run the following command:
Get-InboxRule -Mailbox <mailbox> | FL Name,Description,DeleteMessage,MoveToFolder,Enabled
Search for rule modification audit records
This search looks for:
- New-InboxRule: New rules created
- Set-InboxRule: Existing rules modified
- Remove-InboxRule: Rules deleted
To find out who created, modified, or deleted mailbox rules, run the following command:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule -ResultSize 1000
What to do when searches return no results
If your audit searches don't find rule modification records:
- Expand the date range to capture older changes:
Search-UnifiedAuditLog -StartDate 01/01/2020 -EndDate 03/31/2020 -UserIds <user1,user2> -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule -ResultSize 1000
- Enable auditing for future rule changes:
Set-Mailbox <mailbox> -AuditEnabled $true -AuditOwner @{Add="Create","Update"}
Quick reference
Key operations for rule investigation
| Operation | Description |
|---|---|
| New-InboxRule | New mailbox rule created. |
| Remove-InboxRule | Mailbox rule deleted. |
| Set-InboxRule | Existing mailbox rule modified. |
Essential commands
| Command | Purpose |
|---|---|
Get-InboxRule -Mailbox <mailbox> |
Check current rule configuration. |
Search-UnifiedAuditLog -Operations New-InboxRule,Set-InboxRule,Remove-InboxRule |
Find who made rule changes. |
Next steps
- Use MailItemsAccessed to investigate compromised accounts: Determine whether unauthorized rule changes indicate a compromised account.
- Identify who deleted an email message or why an email is missing: Investigate whether modified rules caused email deletions or missing messages.
- Export, configure, and view audit log records: Export your rule modification findings for compliance documentation.