About Microsoft 365 NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) FullAccess Mailbox Delegation

Betul 0 Reputation points
2023-10-02T07:54:32.7266667+00:00

Hi team,

It appears that FullAccess authorization has been granted by the user NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost). The identity information is EURPR0XA00X.prod.outlook.com/Microsoft Exchange Hosted Organizations/aaaa.onmicrosoft.com/DiscoverySearchMailbox{aaa-aaa-aaa-aaa- aaaa}, do you have any information about the reason for this activity? There is no specific time pattern.

Thanks

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,968 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,252 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 97,076 Reputation points MVP
    2023-10-02T16:36:00.42+00:00

    "DiscoverySearchMailbox" indicates that the entry corresponds to a Discovery mailbox, i.e. one used for the "legacy" eDiscovery experience to "preview" search results, or copy them outside of the original mailbox. Such "discovery" mailboxes cannot be accessed directly as they do not have a corresponding user (or credentials), so Full access permissions are needed to facilitate access. Permissioning is in turn handled by the system once an eDiscovery case is created, although this functionality has since been deprecated in Exchange Online, so what you see is likely a remnant of old cases.

    TL;DR version - you can ignore such entries, as they are handled by background tasks. If you need more info on Discovery mailboxes, read here: https://learn.microsoft.com/en-us/exchange/security-and-compliance/in-place-ediscovery/in-place-ediscovery

    0 comments No comments