Ensure mailbox auditing for all users is Enabled (Microsoft 365)
Ensure mailbox auditing for all users is Enabled (Microsoft 365)
Enabling mailbox auditing in Exchange Online is a critical security and compliance measure, as it allows you to track changes made to user mailboxes and helps you investigate potential security incidents.
This action type also increases your overall Microsoft Secure Score.
Description
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.
Reasoning:
Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.
This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won’t be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.
However, only certain mailbox types support default auditing setting ‘On’: User Mailboxes, Shared Mailboxes, and Microsoft 365 Group Mailboxes. The remaining mailbox types require auditing to be turned on at the mailbox level: Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox.
Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.
NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.
Prerequisite: You should have at least Microsoft Defender for Office 365 P1.
Steps to Implement:
To enable mailbox auditing for all users:
- Connect to Exchange Online using PowerShell but executing the below command:
Connect-ExchangeOnline.
- Run the following PowerShell command:
Set-OrganizationConfig -AuditDisabled $false
- For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
Get-Mailbox -Filter "Name -eq 'MailBox name'" | Set-Mailbox -AuditEnabled $true