Audit enabled mailboxes in O365

Background: < 2 years experience in SMB. Full cloud exchange – Sync with Azure AD Connect.


Is there any drawbacks to enabling audits on every user in an organization? Or should this only be used in special cases?


Auditing enable by default supposedly:



I enabled audit log search, which I thought would enable per mailbox, it did not. Auditing I though was enabled by default now, it is not based on the last user I created verified with “Get-Mailbox “User M. Name” | FL Audit*” -> AuditEnabled: False.


I’m asking because this could becoming very useful where I work. Basically the commands listed here: [](


TL;DR – Is turning all mailbox auditing on for all users a good idea? This isn’t by default, what’s the easiest way to do this? I assume this command would enable just fine ” Set-OrganizationConfig -AuditDisabled $false”.


View Reddit by Hollow3dddView Source

5 thoughts on “Audit enabled mailboxes in O365

  1. cinom-rah says:

    no drawbacks! no cost! do it.

    I thought i heard MS was changing this to be enabled by default in the future, apparently we aren’t there yet.

    A few ways to do it.

    At first I used:

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

    but that will error out on folks like “john smith” where there are more than one.

    So then I used:

    Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

    The only caveat there is the default 1000 accounts returned so you have to add -resultsize unlimited if you have more:

    Get-mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Leave a Reply

Your email address will not be published. Required fields are marked *