Since January 2019, Microsoft has enabled default mailbox auditing for all organizations, which allows specific actions known as default actions, to be logged for all logon types. However, activities like mailbox logins and folder bind operations aren't audited by default and require custom configuration. Also, default auditing only covers user, shared, and group mailboxes. To track activities in resource or public folder mailboxes, you must enable auditing manually.
To maintain complete visibility and meet compliance needs, keep auditing enabled for all mailboxes unless there's a valid reason to exclude one. Note that audit settings can only be managed through PowerShell, as the Microsoft 365 admin portals don't offer this option.
In order to track key actions like message deletions, moves, sends, and folder operations, you must enable mailbox audit logging. It records all activities performed by owners, delegates, and admins with details like event time and user identity. To enable auditing on a mailbox, run the below cmdlet in PowerShell.
Before executing, ensure to connect to the Exchange Online PowerShell module.
This enables audit logging for the specified mailbox and begins tracking actions based on the default or customized audit logging configuration.
You can disable mailbox auditing for specific accounts, such as service or test mailboxes, when audit logs are not required. This helps reduce storage usage and keeps audit data focused on relevant activity. However, to completely stop audit logging for a mailbox, tenant-level settings must also be considered, as some audit actions may still be recorded even when auditing is disabled on the mailbox.
However, proceed with caution because disabling audit logging for a mailbox means that no further activity from that mailbox will be recorded beyond the default audit actions.
To disable audit log for a mailbox, execute the following cmdlet in Exchange Online PowerShell.
Run the following cmdlet to confirm whether audit logging changes have been applied to a specific mailbox.
Replace <user@contoso.com> with the email address of the mailbox you want to update.
If auditing is disabled on critical mailboxes either accidentally or intentionally, it creates blind spots in your audit trail. This can prevent timely detection of policy violations, data loss, or security breaches. That's why it's crucial to view and keep track of mailboxes with auditing disabled.
To simplify this process, use AdminDroid's audit disabled mailboxes report to quickly spot mailboxes with auditing turned off and ensure nothing slips through the cracks!
- This report helps to identify non-audited mailboxes by recipient type, location, license status, and more, to ensure no mailbox is overlooked.
- Instantly identify when audit logging is turned off for critical mailboxes such as room mailboxes, shared mailboxes, or public folder mailboxes.