Home
Join

20 Replies

  • I have the policy enabled for Creation of forwarding/redirect rule but only get notifications for redirects setup to external email addresses. Was it an external address you tested?

    Was this post helpful? thumb_up thumb_down
  • Some Outlook rules only run while the client is running.

    Was this post helpful? thumb_up thumb_down
  • No Paul007, i didn't specify an external IP, just selected ANY mailbox ?

    Was this post helpful? thumb_up thumb_down
  • Try adding a forwarding rule to an external email address and see if you get the alert email.

    Was this post helpful? thumb_up thumb_down
  • You can try https://www.lepide.com/data-security-platform/office-365-auditing.html to get these alerts easily and report on such changes as they happen.

    Was this post helpful? thumb_up thumb_down
  • The problem is that i can't even see any email in mail flow coming to me so it doesn't look as though they're actually being generated so i doubt a mail rule will help but what email address will it come from so i can at least test it ?

    Thanks

    Was this post helpful? thumb_up thumb_down
  • Alert emails are sent by Office365Alerts@microsoft.com

    Was this post helpful? thumb_up thumb_down
  • Just added a new rule and again nothing, and not showing up in a message trace either ? I presume we don't need any extra licencing for us to be able to do this do we ?

    Was this post helpful? thumb_up thumb_down
  • The licensing requirements are listed on the docs site below. If you have a Ex/Fx/Gx sub then you should get alerts (higher ones get more alert policies). Forwarding/redirect rule policy requires a E1/F1/G1, E3/F3/G3, or E5/G5 license.

    https://docs.microsoft.com/en-gb/microsoft-365/compliance/alert-policies?view=o365-worldwide

    It does mention it takes 24 hours after creating/updating an alert policy before it can trigger alerts.

    Was this post helpful? thumb_up thumb_down
  • Ok so as usual Microsoft make it as clear as brick....we ALL have Business Premium licences ourselves so would one of these be needed by JUST the admin setting up the policy then or everyone we need to monitor with the alert ?

    As far as i'm aware a Business Premium is the same as an E3 (apart from storage space) ?

    Was this post helpful? thumb_up thumb_down
  • It is not clear but I believe you should get the E3 alert policies with Business Premium. You need to be a genius to understand MS licensing :-)
    My policy is set to notify TenantAdmins and I know only Admins accounts allocated an exchange license get sent the alerts.
    Was this post helpful? thumb_up thumb_down
  • Indeed. I've added myself and the 2 other admins to the alert instead of the "tenantadmins" and we're all global admins with business premium licences so "should" be good. I'll keep digging

    Thanks

    Was this post helpful? thumb_up thumb_down
  • Just a thought but where do i see the report to see if it's actually detected the event in the first place (if there is a log that is) ?

    Was this post helpful? thumb_up thumb_down
  • You can see the alerts in the Purview portal at https://compliance.microsoft.com/compliancealertsv2

    If they are not listed in there then I do not think an email alert would have been sent.

    Was this post helpful? thumb_up thumb_down
  • Thanks, yes, it's empty. I'll see if i can test it on a few other mailboxes just in case it's this one i've tried it on ?

    Was this post helpful? thumb_up thumb_down
  • Tried it with a couple of others but nothing....the purview log is completely empty and if I go into AUDIT there is no banner to say turn it on so it must already be on ?

    Was this post helpful? thumb_up thumb_down
  • The alert list seems to default to the last day so you may have to change the dates to see any.

    Does your policy looks like this?


    Was this post helpful? thumb_up thumb_down
  • My Purview shows up to todays date so not sure if that means up to the current time or midnight last night but i can't see an option to change it ?

    Yes. my view looks like that, the only difference is i have mine set as Severity = High and not Information but i suspect that wouldn't stop it from sending ?

    Thanks

    Was this post helpful? thumb_up thumb_down
  • Press "refresh" then you can change the filters. Defaults to a months worth of alerts. Below has one example alert.


    Was this post helpful? thumb_up thumb_down
  • Interesting.....if i change it back to March up to today then there ARE entries in there but only up to about middle of April so I'm guessing something has stopped somewhere.
    Was this post helpful? thumb_up thumb_down

Read these next...