O365: Enable mailbox auditing for all mailboxes

Optimising your O365 environment:

Description

Mailbox auditing allows you to discover illicit activities performed in an Exchange Online mailbox, whether by an attacker because of a compromised account or by a malicious insider who has delegate access.

You should configure mailbox audit logging for all mailboxes in your tenant so that audit events are being logged, and are also sent to the Unified Audit Log.

Additional, regularly report on mailboxes that do not have both audit logging enabled and events sent to the Unified Audit Log.

Enable mailbox audit logging for all mailboxes

If not disabled at the tenant level, mailbox audit logging is enabled by default for all user, shared, and Microsoft 365 Group mailboxes. Audit logging must be manually enabled for resource mailboxes and discovery search mailboxes in the organisation.

Ensure audit events are sent to the Unified Audit Log

Audit events for user mailboxes licenced with Office 365 E5/A5 and all Group mailboxes are automatically sent to the Unified Audit Log, while audit events for all other mailboxes that are enabled by default will be sent to the Unified Audit Log if audit logging is explicitly enabled for those mailboxes.

When mailbox audit logging is manually enabled for resource and discovery search mailboxes, their audit events are sent to the Unified Audit Log.

As part of the provisioning process, manually enable audit logging for any mailbox that is not enabled by default, and also explicitly enable audit logging for any mailbox that is enabled by default but will not have its audit events go to the Unified Audit Log (per the information above).  This will ensure that you can search for activities across all mailboxes using Microsoft 365 Audit Log Search in the Security & Compliance Center.  It is also a requirement if you want mailbox audit events to be available for download into a SIEM (via the Office 365 Management Activity API).

Remediation

If mailbox audit logging has been disabled at the tenant level, run the following command to enable it:

To easily configure mailbox audit logging for all mailboxes that require it, you can run the Configure-MailboxAuditing.ps1 script that is available at https://github.com/o365soa/Scripts. The script should be run on a regular basis to ensure new mailboxes are correctly configured so that their audit events are sent to the Unified Audit Log.

If you prefer to do this configuration manually, to manually enable audit logging for all mailboxes that are not enabled by default, and explicitly enable audit logging for those that are enabled by default but whose events are not being sent to the Unified Audit Log, run the following command:

Note: You must use a server-side filter to make Exchange Online determine which mailboxes have not been explicitly enabled because the value of the AuditEnabled property will always be True for mailboxes covered by global auditing.

To report on mailboxes that do not have audit logging enabled or do have audit logging enabled but whose events are not going to the Unified Audit Log, you can run the first part of the previous command:

Thank you to Microsoft for the content