Mailbox Audit Enabling by default in O365

Question, when moving mailboxes to Office 365 (Exchange Online), the mailboxes don't seem to have AuditEnabled $True on the mailboxes, although the Org. Config is set to enable it by default.  

Get-OrganizationConfig | Select AuditDisabled


Any ideas as to why? we basically want AuditEnabled $True on by default as posted here: Link without us having to run the command manually after every mailbox is migrated.

Get-Mailbox -Identity | FL *audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00

Christian HansUndecided... Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Most likely because they are being provisioned as mail users first, as part of the migration process. Let me ping few folks to confirm what is the expected behavior for migrated mailboxes.

Just in case, you do get audit enabled for any newly created cloud mailbox, right?
Mailbox auditing may be enabled at organization level but it is not enabled for mailboxes by default
U must enabled per mailbox if i recollect exactly
Christian HansUndecided... Author Commented:
Vasil, I created a net new account in O365, and it looks like its disabled on new mailboxes also...

Get-Mailbox | Select *Audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00

So it seems that although its set at the Org level, its not applying for some reason.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Vasil Michev (MVP)Commented:
Yeah, it seems like the rollout is not complete, even though the Roadmap says the feature is available already. FWIW, it does seem to be working OK in my tenant, so you just have to wait.
It not means that auditing is enabled at organization level is also enabled at mailbox level
When u enable auditing on mailbox, it add additional processing overheard per mailbox and hence Microsoft don't want to enable it by default
Organization level switch is entry point to decide whether you can use feature or not
Christian HansUndecided... Author Commented:
I guess I am a little confused now...

My understanding, and I think its the same as Vasils, is that once we have AuditDisabled:$False set at the tenant Organizational level, it would be enabled for all mailboxes moving forward, for both new cloud only mailboxes as well as mailboxes that are Migrated in a Hybrid environment.  The difference being that perhaps its not rolled out or effective on all O365 tenants just yet', even if set at the org level.

Per your link, the confusing part is that its not really clear whether this HAS to be applied at a per mailbox level or whether the Org level change would suffice going forward.
" In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn't turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. "
Vasil Michev (MVP)Commented:
@Mahesh, you have missed some news here it seems, this is rolling out for O365:

It does NOT have to be applied on per-mailbox level. But it seems like the rollout of this feature is not yet complete for all tenants, thus the issue Christian is facing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vasil Michev (MVP)Commented:
In addition, here's the Roadmap item:

Sadly, "launched" doesnt equal "rolled out completely" :)
Thanks for update
Christian HansUndecided... Author Commented:
I just wanted to share another finding... If the mailbox has Audit Enabled = $True on-prem, when migrating the mailbox, the Audit Enabled flag remains enabled. So that's good... so basically as long as all mailboxes on-prem have Auditing enabled before migration, they will keep that setting. I think we are still waiting on our tenant to update as you mentioned Vasil, because net-new mailboxes created in Exchange Online don't have Auditing enabled by default yet.
Vasil Michev (MVP)Commented:
Yup, I confirmed with the PG folks that the rollout has indeed not finished, as the Roadmap item would suggest. So you have to wait a bit.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.