Mailbox Audit Enabling by default in O365

Most likely because they are being provisioned as mail users first, as part of the migration process. Let me ping few folks to confirm what is the expected behavior for migrated mailboxes.

Just in case, you do get audit enabled for any newly created cloud mailbox, right?

Mailbox auditing may be enabled at organization level but it is not enabled for mailboxes by default
U must enabled per mailbox if i recollect exactly

Vasil, I created a net new account in O365, and it looks like its disabled on new mailboxes also...

Get-Mailbox Fred.Flintstone@contoso.onmicrosoft.com | Select *Audit*

AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00

So it seems that although its set at the Org level, its not applying for some reason.

It not means that auditing is enabled at organization level is also enabled at mailbox level
When u enable auditing on mailbox, it add additional processing overheard per mailbox and hence Microsoft don't want to enable it by default
Organization level switch is entry point to decide whether you can use feature or not

Refer below link for details

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

I guess I am a little confused now...

My understanding, and I think its the same as Vasils, is that once we have AuditDisabled:$False set at the tenant Organizational level, it would be enabled for all mailboxes moving forward, for both new cloud only mailboxes as well as mailboxes that are Migrated in a Hybrid environment.  The difference being that perhaps its not rolled out or effective on all O365 tenants just yet', even if set at the org level.

Per your link, the confusing part is that its not really clear whether this HAS to be applied at a per mailbox level or whether the Org level change would suffice going forward.
 
" In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn't turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. "

In addition, here's the Roadmap item: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=32224

Sadly, "launched" doesnt equal "rolled out completely" :)

Thanks for update

I just wanted to share another finding... If the mailbox has Audit Enabled = $True on-prem, when migrating the mailbox, the Audit Enabled flag remains enabled. So that's good... so basically as long as all mailboxes on-prem have Auditing enabled before migration, they will keep that setting. I think we are still waiting on our tenant to update as you mentioned Vasil, because net-new mailboxes created in Exchange Online don't have Auditing enabled by default yet.

Yup, I confirmed with the PG folks that the rollout has indeed not finished, as the Roadmap item would suggest. So you have to wait a bit.