Unable to see all Operations on ExchangeAdmin RecordTypes

[stvpwrs]

Describe the bug
After setting up Microsoft Sentinel and adding the Microsoft 365 (formerly, Office 365) Data Connector. The logs being collected appear incomplete.

In particular not all Operations on ExchangeAdmin RecordTypes are not showing up.

Our test case was taking actions to change permissions on a shared mailbox. In the Unified Audit Log (UAL) we can see the Add-MailboxPermission operations happening, but they do not appear in Microsoft Sentinel.

This is perhaps a permissions issue, but while a GA account setup the Microsoft 365 (formerly, Office 365) Data Connector, perhaps other actions are needed? There does not appear to be any security configuration on the connector itself, and it is now showing a permission issue, but logs are still coming in.

To Reproduce
Steps to reproduce the behavior:

1. Make permission changes to a shared mailbox.
2. Wait 15 minutes.
3. Go to the Log Workspace Analytics resource where Microsoft Sentinel is deployed.
4. Select Logs
5. Run the KQL query.

Query:

// All Office Activity 
// All the events provided by Office Activity. 
OfficeActivity
| where OfficeWorkload == "Exchange"
| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId
| sort by TimeGenerated desc nulls last

Expected behavior
We expect to see entries with ExchangeAdmin RecordType and Add-MailboxPermission Opertion entries corresponding to the change.

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Browser Microsoft Edge

Additional context
If this is a permissions issue, I'm not sure where to apply these permissions? Should a user-managed identity be added or something? I expect to this to be on the connector itself, but that doesn't appear to be the way Microsoft Sentinel does things.

[v-tsawant]

Hi @stvpwrs , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!