|
| 1 | +--- |
| 2 | +title: "mailboxConfigurationEvidence resource type" |
| 3 | +description: "Represents a mailbox configuration entity that is reported as part of the security detection alert." |
| 4 | +ms.date: 11/19/2025 |
| 5 | +author: "hareldamti" |
| 6 | +ms.localizationpriority: medium |
| 7 | +ms.subservice: "security" |
| 8 | +doc_type: resourcePageType |
| 9 | +--- |
| 10 | + |
| 11 | +# mailboxConfigurationEvidence resource type |
| 12 | + |
| 13 | +Namespace: microsoft.graph.security |
| 14 | + |
| 15 | +Represents a mailbox configuration entity that is reported as part of the security detection alert. |
| 16 | + |
| 17 | +Inherits from [alertEvidence](../resources/security-alertevidence.md), which represents evidence related to an [alert](security-alert.md). |
| 18 | + |
| 19 | +## Properties |
| 20 | +|Property|Type|Description| |
| 21 | +|:---|:---|:---| |
| 22 | +|configurationType|microsoft.graph.security.mailboxConfigurationType|The type of mailbox configuration. The possible values are: `mailForwardingRule`, `owaSettings`, `ewsSettings`, `mailDelegation`, `userInboxRule`, `unknownFutureValue`.| |
| 23 | +|configurationId|String|The unique identifier of the mailbox configuration.| |
| 24 | +|createdDateTime|DateTimeOffset|The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 25 | +|detailedRoles|String collection|Detailed roles of the evidence in the alert. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 26 | +|displayName|String|The display name of the mailbox.| |
| 27 | +|externalDirectoryObjectId|Guid|The external directory object identifier of the mailbox.| |
| 28 | +|mailboxPrimaryAddress|String|The primary email address of the mailbox.| |
| 29 | +|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](../resources/security-alertevidence.md#evidenceremediationstatus-values)|The status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `active`, `pendingApproval`, `declined`, `notRemediated`, `running`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 30 | +|remediationStatusDetails|String|Details about the remediation status. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 31 | +|roles|[microsoft.graph.security.evidenceRole](../resources/security-alertevidence.md#evidencerole-values) collection|One or more roles that an evidence entity represents in an alert. For example, an IP address that is associated with an attacker has the evidence role `Attacker`. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 32 | +|tags|String collection|Array of custom tags associated with an evidence instance. For example, to denote a group of devices or high value assets. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 33 | +|upn|String|The user principal name (UPN) of the mailbox.| |
| 34 | +|verdict|[microsoft.graph.security.evidenceVerdict](../resources/security-alertevidence.md#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).| |
| 35 | + |
| 36 | +## Relationships |
| 37 | +None. |
| 38 | + |
| 39 | +## JSON representation |
| 40 | +The following JSON representation shows the resource type. |
| 41 | +<!-- { |
| 42 | + "blockType": "resource", |
| 43 | + "@odata.type": "microsoft.graph.security.mailboxConfigurationEvidence", |
| 44 | + "baseType": "microsoft.graph.security.alertEvidence" |
| 45 | +} |
| 46 | +--> |
| 47 | +``` json |
| 48 | +{ |
| 49 | + "@odata.type": "#microsoft.graph.security.mailboxConfigurationEvidence", |
| 50 | + "createdDateTime": "String (timestamp)", |
| 51 | + "verdict": "String", |
| 52 | + "remediationStatus": "String", |
| 53 | + "remediationStatusDetails": "String", |
| 54 | + "roles": [ |
| 55 | + "String" |
| 56 | + ], |
| 57 | + "detailedRoles": [ |
| 58 | + "String" |
| 59 | + ], |
| 60 | + "tags": [ |
| 61 | + "String" |
| 62 | + ], |
| 63 | + "configurationType": "String", |
| 64 | + "mailboxPrimaryAddress": "String", |
| 65 | + "displayName": "String", |
| 66 | + "upn": "String", |
| 67 | + "configurationId": "String", |
| 68 | + "externalDirectoryObjectId": "String" |
| 69 | +} |
| 70 | +``` |
0 commit comments