Mailbox Audit Enabling by default in O365

Christian Hans
Christian Hans used Ask the Experts™
on
Question, when moving mailboxes to Office 365 (Exchange Online), the mailboxes don't seem to have AuditEnabled $True on the mailboxes, although the Org. Config is set to enable it by default.  

Get-OrganizationConfig | Select AuditDisabled

AuditDisabled
-------------
        False

Any ideas as to why? we basically want AuditEnabled $True on by default as posted here: Link without us having to run the command manually after every mailbox is migrated.

Get-Mailbox -Identity Joe@contoso.com | FL *audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Most likely because they are being provisioned as mail users first, as part of the migration process. Let me ping few folks to confirm what is the expected behavior for migrated mailboxes.

Just in case, you do get audit enabled for any newly created cloud mailbox, right?
MaheshArchitect
Distinguished Expert 2018

Commented:
Mailbox auditing may be enabled at organization level but it is not enabled for mailboxes by default
U must enabled per mailbox if i recollect exactly
Christian HansUndecided...

Author

Commented:
Vasil, I created a net new account in O365, and it looks like its disabled on new mailboxes also...

Get-Mailbox Fred.Flintstone@contoso.onmicrosoft.com | Select *Audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00

So it seems that although its set at the Org level, its not applying for some reason.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Yeah, it seems like the rollout is not complete, even though the Roadmap says the feature is available already. FWIW, it does seem to be working OK in my tenant, so you just have to wait.
MaheshArchitect
Distinguished Expert 2018

Commented:
It not means that auditing is enabled at organization level is also enabled at mailbox level
When u enable auditing on mailbox, it add additional processing overheard per mailbox and hence Microsoft don't want to enable it by default
Organization level switch is entry point to decide whether you can use feature or not
MaheshArchitect
Distinguished Expert 2018

Commented:
Christian HansUndecided...

Author

Commented:
I guess I am a little confused now...

My understanding, and I think its the same as Vasils, is that once we have AuditDisabled:$False set at the tenant Organizational level, it would be enabled for all mailboxes moving forward, for both new cloud only mailboxes as well as mailboxes that are Migrated in a Hybrid environment.  The difference being that perhaps its not rolled out or effective on all O365 tenants just yet', even if set at the org level.

Per your link, the confusing part is that its not really clear whether this HAS to be applied at a per mailbox level or whether the Org level change would suffice going forward.
 
" In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn't turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. "
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
@Mahesh, you have missed some news here it seems, this is rolling out for O365: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171

It does NOT have to be applied on per-mailbox level. But it seems like the rollout of this feature is not yet complete for all tenants, thus the issue Christian is facing.
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
In addition, here's the Roadmap item: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=32224

Sadly, "launched" doesnt equal "rolled out completely" :)
MaheshArchitect
Distinguished Expert 2018

Commented:
Thanks for update
Christian HansUndecided...

Author

Commented:
I just wanted to share another finding... If the mailbox has Audit Enabled = $True on-prem, when migrating the mailbox, the Audit Enabled flag remains enabled. So that's good... so basically as long as all mailboxes on-prem have Auditing enabled before migration, they will keep that setting. I think we are still waiting on our tenant to update as you mentioned Vasil, because net-new mailboxes created in Exchange Online don't have Auditing enabled by default yet.
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Yup, I confirmed with the PG folks that the rollout has indeed not finished, as the Roadmap item would suggest. So you have to wait a bit.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial