Audit enabled mailboxes in O365


Background: < 2 years experience in SMB. Full cloud exchange – Sync with Azure AD Connect.

&#x200B;

Is there any drawbacks to enabling audits on every user in an organization? Or should this only be used in special cases?

&#x200B;

Auditing enable by default supposedly:

[https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171)

&#x200B;

I enabled audit log search, which I thought would enable per mailbox, it did not. Auditing I though was enabled by default now, it is not based on the last user I created verified with “Get-Mailbox “User M. Name” | FL Audit*” -> AuditEnabled: False.

&#x200B;

I’m asking because this could becoming very useful where I work. Basically the commands listed here: [https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing](https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing)

&#x200B;

TL;DR – Is turning all mailbox auditing on for all users a good idea? This isn’t by default, what’s the easiest way to do this? I assume this command would enable just fine ” Set-OrganizationConfig -AuditDisabled $false”.

&#x200B;



View Reddit by Hollow3dddView Source

5 thoughts on “Audit enabled mailboxes in O365

  1. cinom-rah says:

    no drawbacks! no cost! do it.

    I thought i heard MS was changing this to be enabled by default in the future, apparently we aren’t there yet.

    A few ways to do it.

    At first I used:

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

    but that will error out on folks like “john smith” where there are more than one.

    So then I used:

    Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

    The only caveat there is the default 1000 accounts returned so you have to add -resultsize unlimited if you have more:

    Get-mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Leave a Reply

Your email address will not be published. Required fields are marked *