Retreive original email IDs from admin activities "view/download email"

[Julien Le Gallic]

Hi Team,

There is an important issue related to some activities allowed to administrators of VDC tenant:
- View email body
- Download locally
- Restore to another account

With this functionalities, which are useful, the drawback is that a malicious admin could consult, or retrieve personal or confidential informations from other users (such as VIP / finance / etc)
Those activities are logged in the activity feed, but there is no mention of the item itself, only the target user account.

For "View email body" activity log, there is a Item ID, but it is not one of the EWS IDs for an email (confirmed by Veeam Support, it is an internal Veeam ID)
So we are not able to make the link to know which email exactly has been consulted.

This is very problematic in case of sensitive data leak or legal audit, because we cannot identify or prove about the responsible admin/user.

Perhaps there is a reason (design, security, ..), but we need more explanation on these. And more over a solution to address legal requirements about data confidentiality and classification.

Thanks.

[Polina]

Hi Julien,

First, those iternal IDs are going to be removed soon, since as you noticed they don't bring much value for users.
Next, what information would be sufficient for you to get? Is it item's name/subject (which are not unique and, IMO, uncertainty will remain) or anything else?

Thanks!

[Julien Le Gallic]

Hi Polina,

The one we use regularly is the Message ID, but it is not specific to Microsoft.

Perhaps, in order to have something reproducible for better user experience, using a Microsoft ID that is common to M365 items would make more sense ?
Like this we could have also same logs for downloaded items in sharepoint or onedrive.

For EWS, Rest ID / Immutable IDs / EwsID would do the job.

[Polina]

Thanks, noted!