Since around 2/28, our daily Exchange Online Activity summary has been loaded with supposedly modified conditional access policies when no such changes have been made. Every day the report will show every single conditional access policy on the tenant but with nothing changed.
We have 2 partner orgs each with their own Netwrix Auditor and M365 tenants and they are reporting this issue as well.
See attached sample screenshot.
3 Likes
Hi Michael! When you say
when no such changes have been made
What do you imply? Did you verify that this is not a real event that actually happened? Or do I misunderstand your point?
Hi Michael,
We will research this behavior on our side. This is related to the native MS logging, so please take into account the previous question from Dmitry.
Thanks,
Roman
I mean no M365 tenant admins made any changes to the policies. The “Who” on the log entries suggest it’s a service account. When I go to the 365 portal it looks like nothing changes on the conditional access policies.
Hi Michael,
If the service account is making noisy changes, you can try excluding it via omituserlist by who.
To do this: find (default path) ‘C:\Program Files (x86)\Netwrix Auditor\Exchange Online Auditing\omituserlist.txt’, add an entry like this, then ‘NT Service*’ or the full text from the who field;
Then changes made under that user will be excluded from reporting.
Would this be a good option for you?
Regards, Evgenii
3 Likes
Hi Everyone,
I can certainly verify that something has changed in the behavior of MS Exchange Online, whether Microsoft have made some adjustments that is now causing multiple ‘Conditional Access Policy’ changes to take place daily.
Below is a screenshot form my lab and this activity only begun happening since 28th Feb
I can certainly verify that i have not made any changes in my test tenant, so these are automatically being done by Microsoft on a daily basis!
Regards,
Russell
4 Likes