It seems that a couple of weeks ago my standalone Exchange Online Protection (EOP) configuration was changed without me being involved. Basically, it looks like my default Accepted Domain was changed from type “Internal Relay” to “Authoritative” without my knowledge or consent.
The first I knew of this was when I noticed my on-premises mail server was no longer receiving email. The current usage is low, so I didn’t notice it for a couple of weeks. After some troubleshooting I pinned the problem down to the fact that the Accepted Domain was showing as “Authoritative”. After changing it back to “Internal Relay” mail started getting delivered to my on-prem server almost immediately.
I have no delegated admins for this service, so nobody could have gone rogue on me. I have also checked the admin audit logs and the only entries shown for modifying the Accepted Domains configuration are a) when I originally set it up last September and b) when I changed it back yesterday. Here are a few screenshots to show the evidence.
Firstly the graph below shows when mail stopped being received…
…then the audit entries showing when I made modifications to the mail.activedir.org Accepted Domain. It only shows the two entries. The first was when I set up the service last September and the second was when I made the change from “Authoritative” to “Internal Relay”yesterday.
It looks like I don’t have access to the external admin audit log report. It doesn’t appear in my EAC view (see below), so perhaps it is simply not available to EOP-only subscriptions. This might have been insightful as the the log apparently shows actions performed by datacentre administrators, which is where I believe the change was made.
Given the external admin audit log report wasn’t available via the EAC, I thought I would try to invoke it via Powershell. All I got from the output was the changes that I had made in the portal, i.e. no external admin entries.
PS C:\> Search-AdminAuditLog -ExternalAccess $true
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Configuration/mail.activedir.org
CmdletName : Set-AcceptedDomain
CmdletParameters : {MatchSubDomains, Identity, DomainType}
ModifiedProperties : {AcceptedDomainFlags, AcceptedDomainType}
Caller : tony@mail.activedir.org
ExternalAccess :
Succeeded : True
Error : None
RunDate : 5/03/2015 1:44:26 a.m.
OriginatingServer : DB3FFO11WS056 (15.01.0099.000)
Identity : e7054efb-d9f5-461a-9c85-08d224fd0c3a
IsValid : True
ObjectState : New
PS C:\> $now = get-date
PS C:\> $start = $now.AddYears(-1)
PS C:\> Search-AdminAuditLog -ExternalAccess $true -StartDate $start -EndDate $now
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Transport Settings/FE Outbound
CmdletName : New-OutboundConnector
CmdletParameters : {TlsDomain, CloudServicesMailEnabled, TlsSettings, Enabled...}
ModifiedProperties : {ConfigurationUnit, SmartHostType, Id, OrganizationId...}
Caller : tony@fisheaglelimited2014.onmicrosoft.com
ExternalAccess :
Succeeded : True
Error : None
RunDate : 7/09/2014 8:57:44 p.m.
OriginatingServer : AM1FFO11WS040 (15.00.1010.011)
Identity : ec85e346-1d12-4ab0-2067-08d198f581a9
IsValid : True
ObjectState : New
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Transport Settings/FE Inbound
CmdletName : New-InboundConnector
CmdletParameters : {SenderIPAddresses, CloudServicesMailEnabled, RestrictDomainsToCertificate, Enabled...}
ModifiedProperties : {ConfigurationUnit, Id, OrganizationId, RawName...}
Caller : tony@mail.activedir.org
ExternalAccess :
Succeeded : True
Error : None
RunDate : 8/09/2014 1:17:15 a.m.
OriginatingServer : AM1FFO11WS002 (15.00.1019.000)
Identity : 50f7f697-a501-4106-56a9-08d19919c2fb
IsValid : True
ObjectState : New
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Configuration/FE Outbound
CmdletName : Set-OutboundConnector
CmdletParameters : {TlsDomain, CloudServicesMailEnabled, Identity, TlsSettings...}
ModifiedProperties : {RecipientDomains, RecipientDomainsEx, SmartHosts}
Caller : tony@mail.activedir.org
ExternalAccess :
Succeeded : True
Error : None
RunDate : 8/09/2014 1:19:30 a.m.
OriginatingServer : DB3FFO11WS013 (15.00.1019.000)
Identity : 9f184a42-929c-4a98-54c8-08d1991a134d
IsValid : True
ObjectState : New
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Configuration/mail.activedir.org
CmdletName : Set-AcceptedDomain
CmdletParameters : {MatchSubDomains, Identity, DomainType}
ModifiedProperties : {AcceptedDomainFlags, AcceptedDomainType}
Caller : tony@mail.activedir.org
ExternalAccess :
Succeeded : True
Error : None
RunDate : 8/09/2014 1:24:06 a.m.
OriginatingServer : AM1FFO11WS002 (15.00.1019.000)
Identity : 55b909e6-abbd-43af-8c21-08d1991ab767
IsValid : True
ObjectState : New
RunspaceId : 4e7bfd93-6f40-493b-b294-4f936506f863
ObjectModified : FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/fisheaglelimited2014.onmicrosoft.com/Configuration/mail.activedir.org
CmdletName : Set-AcceptedDomain
CmdletParameters : {MatchSubDomains, Identity, DomainType}
ModifiedProperties : {AcceptedDomainFlags, AcceptedDomainType}
Caller : tony@mail.activedir.org
ExternalAccess :
Succeeded : True
Error : None
RunDate : 5/03/2015 1:44:26 a.m.
OriginatingServer : DB3FFO11WS056 (15.01.0099.000)
Identity : e7054efb-d9f5-461a-9c85-08d224fd0c3a
IsValid : True
ObjectState : New
I’ve opened a support incident with Microsoft about this, so I’ll post a follow-up here when that it resolved.
Anyone else out there experienced something similar?