Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

← Office 365 Security & Compliance

Make sure that Exchange Online mailboxes are enabled for auditing

The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

470 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

21 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Andy Swiffin commented  ·   ·  Flag as inappropriate

    Over 3 years and still no action on this. If you look at a user with powershell it tells you it's '$true' but there are no logs in the portal but there are in powershell. If you set it to $false it says "the command ran but no changes were made" - hmmm something very broken here. Then when you set it $true it finally works. We shouldn't have to do this!!

  • Drew commented  ·   ·  Flag as inappropriate

    Exchange Online email auditing is a total joke. Now Microsoft is requiring an E5 license to search logging in the SCC. If you turned it on for your E3 users they are now grandfathered in. However, if you didn't they will need an E5 licensing. This is nothing short of extortion from Microsoft, forcing companies to E5. Terribly unethical!

  • Rick P commented  ·   ·  Flag as inappropriate

    If not on by default (which is the obvious answer) having an ability to flip one switch instead of Get-Mailbox -Filter {AuditEnabled -eq $False} -RecipientTypeDetails UserMailbox, SharedMailbox | Set-Mailbox -AuditEnabled $True –AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems (and then manually enabling for each created mailbox thereafter).

    Get Bill Gates in here!

  • Peter Hurst commented  ·   ·  Flag as inappropriate

    On large tenancies it's particularly difficult to backfit with the recommended solution as the number of mailboxes exceed the maximum allowed.

  • Brian T. Grant commented  ·   ·  Flag as inappropriate

    even if it gets enabled by default that is only one step as I understand that is only basic auditing.
    Owner, Admin & delegate with extended parameters should be applied by you.

  • Hasan commented  ·   ·  Flag as inappropriate

    By deafult it should be enabled when mailbox created in Office365 or migrated from Onprem to Office365

  • Anonymous commented  ·   ·  Flag as inappropriate

    I agree, that will be great to have the option to enable auditing when creating user account. that will be very useful.

  • kaveh commented  ·   ·  Flag as inappropriate

    noticed Set-MailboxPlan has an '-AuditEnabled' switch already, just that its currently reserved for internal use... c'mon guys!

  • kaveh commented  ·   ·  Flag as inappropriate

    Yes the issue is we dont use powershell to create users, and need this enabled for new mailboxes that are created.

  • Matt commented  ·   ·  Flag as inappropriate

    How is this not done yet? Having the option to enable/disable auditing by default on the tenant has been being asked for for years now. Cmon MS...

  • Ryan Pizzi commented  ·   ·  Flag as inappropriate

    Very much agreed on this. I'm told that ASM (Now CAS) required mailbox auditing to become useful at all. If this is a requirement, I'm sure we'd all appreciate a method to have mailboxes start out with auditing enabled (and perhaps what to audit).

  • Richard commented  ·   ·  Flag as inappropriate

    There are numerous tickets with varying amounts of votes that are all asking for the same thing:

    Give us the ability to enable mailbox auditing by default for every account in AAD.

    Even better, let us specify mailbox auditing policies hierarchically, as in GPOs. We should be using AAD as the source of truth on user objects, including mailboxes. I don't get why this is a per-user Powershell-only option right now. Seriously it confounds us.

  • James Reed commented  ·   ·  Flag as inappropriate

    This needs to be done on all mailboxes, inclusive of the underlying O365 Group mailboxes.
    This should be the default setting for all, so there would be no reason it randomly disables or certain elements get removed from auditing.

← Previous 1

Office 365 Security & Compliance: Auditing

Categories

Feedback and Knowledge Base

(thinking…)

Related Sites